Andrey Krasichkov

**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 1.1.54388 **Description** The issue allows for Cross Protocol Request Forgery Attacks due to the "remote" table function permitting arbitrary symbols in the `user`, `password`, and `default database` fields. **Recommendations** For versions prior to 1.1.54388, update to version 1.1.54388 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ClickHouse MySQL client versions prior to 1.1.54390 **Description** The issue concerns the "LOAD DATA LOCAL INFILE" functionality in the ClickHouse MySQL client, which was enabled and allowed a malicious MySQL database to read arbitrary files from the connected ClickHouse server. **Recommendations** For versions prior to 1.1.54390, update to version 1.1.54390 or later to resolve the issue. As a temporary workaround, consider disabling the "LOAD DATA LOCAL INFILE" functionality until a patch is available. Restrict access to sensitive files on the ClickHouse server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 18.10.3 **Description** The issue allows for Remote Code Execution due to unixODBC loading arbitrary shared objects from the file system. **Recommendations** For versions prior to 18.10.3, update to version 18.10.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 18.12.13 **Description** The issue allows path traversal and reading of arbitrary files through error messages in functions for loading CatBoost models. **Recommendations** For versions prior to 18.12.13, update to version 18.12.13 or later to resolve the issue.