Yandex: >> Clickhouse >> 1.1.54181 Security Vulnerabilities
In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-08-15
ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-08-15
In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.
CVSS Score
9.8
EPSS Score
0.011
Published
2019-08-15
In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-08-15
Page 2