CVE-2024-23689

ClickHouse Client Certificate Password Exposure

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

La exposición de información confidencial en excepciones en las versiones clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc y com.clickhouse:clickhouse-client de ClichHouse inferiores a 0.4.6 permite a usuarios no autorizados obtener acceso a las contraseñas de los certificados del cliente a través de los registros de excepciones del cliente. Esto ocurre cuando se especifica 'sslkey' y se genera una excepción, como ClickHouseException o SQLException, durante las operaciones de la base de datos; la contraseña del certificado se incluye en el mensaje de excepción registrado.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-19 CVE Reserved
2024-01-19 CVE Published
2024-08-01 CVE Updated
2024-08-01 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (6)

URL	Tag	Source
https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6	Related
https://github.com/advisories/GHSA-g8ph-74m6-8m7r	Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r	Third Party Advisory

URL	Date	SRC
https://github.com/ClickHouse/clickhouse-java/issues/1331	2024-08-01

URL	Date	SRC
https://github.com/ClickHouse/clickhouse-java/pull/1334	2024-01-26

URL	Date	SRC
https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r	2024-01-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Clickhouse Search vendor "Clickhouse"		Java Libraries Search vendor "Clickhouse" for product "Java Libraries"				< 0.4.6 Search vendor "Clickhouse" for product "Java Libraries" and version " < 0.4.6"		-		Affected