Eldar Zaitov

Researcher fromYandex Security Team
#7868of 53,633
34.9Total CVSS
Vulnerabilities · 4
Medium
1
High
1
Critical
2
PT-2025-22327
8.8
2025-05-21
Unknown · Clickhouse · CVE-2019-16536
**Name of the Vulnerable Software and Affected Versions** Clickhouse versions prior to 19.14.3.3 **Description** A stack overflow leading to a denial of service (DoS) can be triggered by a malicious authenticated client. **Recommendations** For versions prior to 19.14.3.3, update to version 19.14.3.3 or later to resolve the issue.
PT-2020-12674
9.8
2020-04-15
Onlyoffice · Onlyoffice Document Server · CVE-2020-11537
**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Document Server version 5.5.0 **Description** A SQL Injection issue was discovered, allowing an attacker to execute arbitrary SQL queries via injection to the `DocID` parameter of the Websocket API. **Recommendations** For ONLYOFFICE Document Server version 5.5.0, consider restricting access to the Websocket API to minimize the risk of exploitation. Avoid using the `DocID` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2019-13937
6.5
2019-11-12
Yandex · Clickhouse · CVE-2019-15024
**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 19.14.3 **Description** The issue allows an attacker with write access to ZooKeeper and the ability to run a custom server on the network where ClickHouse runs to create a malicious server acting as a ClickHouse replica. This malicious replica can be registered in ZooKeeper, and when another replica fetches data from it, the attacker can force the clickhouse-server to write to an arbitrary path on the filesystem. **Recommendations** For versions prior to 19.14.3, update to version 19.14.3 or later to resolve the issue.
PT-2019-14693
9.8
2019-11-12
Yandex · Clickhouse · CVE-2019-16535
**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 19.14 **Description** The issue concerns an out-of-bounds (OOB) read, OOB write, and integer underflow in decompression algorithms. This can be exploited to achieve remote code execution (RCE) or cause a denial of service (DoS) via the native protocol. **Recommendations** For versions prior to 19.14, update to version 19.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the native protocol to minimize the risk of exploitation.