CVE-2021-25263

Name of the Vulnerable Software and Affected Versions ClickHouse versions prior to v20.8.18.32-lts ClickHouse versions prior to v21.1.9.41-stable ClickHouse versions prior to v21.2.9.41-stable ClickHouse versions prior to v21.3.6.55-lts ClickHouse versions prior to v21.4.3.21-stable Yandex Browser for Windows versions prior to 21.9.0.390

Description The issue is related to information disclosure and allows a remote attacker to access confidential data. It also involves a local privilege vulnerability that enables a local, low-privileged attacker to execute arbitrary code with SYSTEM privileges by manipulating files in a directory with insecure permissions during the update process of Yandex Browser. An attacker with CREATE DICTIONARY privilege can read arbitrary files outside the permitted directory.

Recommendations For ClickHouse versions prior to v20.8.18.32-lts, update to version v20.8.18.32-lts or later. For ClickHouse versions prior to v21.1.9.41-stable, update to version v21.1.9.41-stable or later. For ClickHouse versions prior to v21.2.9.41-stable, update to version v21.2.9.41-stable or later. For ClickHouse versions prior to v21.3.6.55-lts, update to version v21.3.6.55-lts or later. For ClickHouse versions prior to v21.4.3.21-stable, update to version v21.4.3.21-stable or later. For Yandex Browser for Windows versions prior to 21.9.0.390, update to version 21.9.0.390 or later. As a temporary workaround, consider restricting the CREATE DICTIONARY privilege to minimize the risk of exploitation.