CVE-2019-15024
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.
En todas las versiones de ClickHouse anteriores a la versión 19.14.3, un atacante que tiene acceso de escritura a ZooKeeper y es capaz de ejecutar un servidor personalizado disponible desde la red donde se ejecuta ClickHouse, puede crear un servidor malicioso personalizado que actuará como una réplica de ClickHouse y regístralo en ZooKeeper. Cuando otra réplica buscará parte de datos de la réplica maliciosa, puede obligar a clickhouse-server a escribir en una ruta arbitraria en el sistema de archivos.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-13 CVE Reserved
- 2019-12-30 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://clickhouse.yandex/docs/en/security_changelog | 2020-08-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Yandex Search vendor "Yandex" | Clickhouse Search vendor "Yandex" for product "Clickhouse" | < 19.14.3 Search vendor "Yandex" for product "Clickhouse" and version " < 19.14.3" | - |
Affected
| ||||||