WS-2021-0497 | Mend Vulnerability Database

Vulnerability DatabaseWS-2021-0497

WS-2021-0497

December 03, 2024

ClickHouse JDBC Bridge before 2.0.7 uses slf4j-log4j12 1.7.32, which depends on log4j 1.2.17. It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker.

Related Resources (5)

https://access.redhat.com/security/cve/CVE-2021-4104

https://github.com/ClickHouse/clickhouse-jdbc-bridge/security/advisories/GHSA-3w6p-8f82-gw8r

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

https://github.com/ClickHouse/clickhouse-jdbc-bridge

https://github.com/ClickHouse/clickhouse-jdbc-bridge/commit/12dbc624517cad18ed710c6766150cdb7659b1c8

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Products

Solutions

Resources

Company

Compare

Developer Tools