CVE-2022-44010

An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint (usually listening on port 8123 by default), causing a heap-based buffer overflow that crashes the process. This does not require authentication. The fixed versions are 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, and 22.3.12.19.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://clickhouse.com/docs/en/whats-new/security-changelog	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:clickhouse:clickhouse::::::::
	cpe:2.3:a:clickhouse:clickhouse::::::::
	cpe:2.3:a:clickhouse:clickhouse::::::::
	cpe:2.3:a:clickhouse:clickhouse::::::::
	cpe:2.3:a:clickhouse:clickhouse::::::::

History

30 Nov 2023, 21:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:clickhouse:clickhouse::::::::
References	~~() https://clickhouse.com/docs/en/whats-new/security-changelog -~~	() https://clickhouse.com/docs/en/whats-new/security-changelog - Vendor Advisory
CWE		CWE-787
First Time		Clickhouse Clickhouse clickhouse
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

23 Nov 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-23 16:15

Updated : 2024-02-28 20:54

NVD link : CVE-2022-44010

Mitre link : CVE-2022-44010

CVE.ORG link : CVE-2022-44010

JSON object : View

Products Affected

clickhouse

clickhouse

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2022-44010", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-11-23T16:15:07.157", "references": [{"url": "https://clickhouse.com/docs/en/whats-new/security-changelog", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint (usually listening on port 8123 by default), causing a heap-based buffer overflow that crashes the process. This does not require authentication. The fixed versions are 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, and 22.3.12.19."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en ClickHouse antes del 22.9.1.2603. Un atacante podr\u00eda enviar una solicitud HTTP manipulada al endpoint HTTP (normalmente escuchando en el puerto 8123 de forma predeterminada), lo que provocar\u00eda un desbordamiento del b\u00fafer basado en el mont\u00f3n que bloquear\u00eda el proceso. Esto no requiere autenticaci\u00f3n. Las versiones corregidas son 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16 y 22.3.12.19."}], "lastModified": "2023-11-30T21:02:39.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E491243-850E-42B0-93C1-02A5006E76CC", "versionEndExcluding": "22.3.12.19"}, {"criteria": "cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AC646C1-A2E2-4E6F-9312-2AF2B3FAED29", "versionEndExcluding": "22.6.6.16", "versionStartIncluding": "22.6"}, {"criteria": "cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2129D28D-F5C8-4824-819B-E27AF634C6BA", "versionEndExcluding": "22.7.4.16", "versionStartIncluding": "22.7"}, {"criteria": "cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B7994FF-D269-4F8A-9388-B60BC23A6EA6", "versionEndExcluding": "22.8.2.11", "versionStartIncluding": "22.8"}, {"criteria": "cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391AC13C-E2F6-4824-AC29-081AF879666A", "versionEndExcluding": "22.9.1.2603", "versionStartIncluding": "22.9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}