CVE-2024-23689

Name of the Vulnerable Software and Affected Versions clickhouse-r2dbc versions less than 0.4.6 com.clickhouse:clickhouse-jdbc versions less than 0.4.6 com.clickhouse:clickhouse-client versions less than 0.4.6

Description The issue allows unauthorized users to gain access to client certificate passwords via client exception logs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations. This occurs because the certificate password is included in the logged exception message. The vulnerability can potentially lead to unauthorized access, data breaches, and violations of user privacy. An attacker with access to client exception error messages or logs can obtain client certificate passwords, potentially allowing unauthorized access to sensitive information, data manipulation, and denial of service attacks.

Recommendations For clickhouse-r2dbc versions less than 0.4.6, update to version 0.4.6 or later to resolve the issue. For com.clickhouse:clickhouse-jdbc versions less than 0.4.6, update to version 0.4.6 or later to resolve the issue. For com.clickhouse:clickhouse-client versions less than 0.4.6, update to version 0.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to client exception logs to minimize the risk of exploitation. Avoid using the sslkey parameter in the affected API endpoints until the issue is resolved.