Arseniy Dugin

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** The issue arises when the library bridge feature is enabled, allowing the clickhouse-library-bridge to expose an HTTP API on localhost. This enables clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. If combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with access to both table engines to execute arbitrary code on the ClickHouse server. **Recommendations** To check if your ClickHouse server is vulnerable, inspect the configuration file for the following setting: `<library bridge>` `<port>9019</port>` `</library bridge>` If this setting is enabled, consider disabling the library bridge feature as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.