CVE-2023-48704

Name of the Vulnerable Software and Affected Versions ClickHouse versions 23.3.18.15, 23.8.8.20, 23.9.6.20, 23.10.5.20 ClickHouse Cloud version 23.9.2.47551

Description A heap buffer overflow issue was discovered in the ClickHouse server, allowing an attacker to send a specially crafted payload to the native interface exposed by default on port 9000/tcp. This triggers a bug in the decompression logic of the Gorilla codec, causing the ClickHouse server process to crash. The attack does not require authentication.

Recommendations For ClickHouse version 23.3.18.15, update to version 23.3.18.15 or later. For ClickHouse version 23.8.8.20, update to version 23.8.8.20 or later. For ClickHouse version 23.9.6.20, update to version 23.9.6.20 or later. For ClickHouse version 23.10.5.20, update to version 23.10.5.20 or later. For ClickHouse Cloud version 23.9.2.47551, no additional action is required as this version already includes the fix. As a temporary workaround, consider restricting access to the native interface on port 9000/tcp to minimize the risk of exploitation.