Information exposure through an error message in ClichHouse clickhouse-java



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-23689
CWE-ID CWE-209
Exploitation vector Local
Public exploit N/A
Vulnerable software
 clickhouse-java
Other software / Other software solutions

Vendor ClickHouse

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information Exposure Through an Error Message

EUVDB-ID: #VU98554

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-23689

CWE-ID: CWE-209 - Information Exposure Through an Error Message

Exploit availability: No

Description

The vulnerability allows a local user to gain access to client certificate passwords.

The vulnerability occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message. A local user can trick the victim into opening a specially crafted file and gain access to client certificate passwords via client exception logs

Mitigation

Install update from vendor's website.

Vulnerable software versions

clickhouse-java: 0.1.13 - 0.4.5

CPE2.3 External links

https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r
https://github.com/ClickHouse/clickhouse-java/issues/1331
https://github.com/ClickHouse/clickhouse-java/pull/1334
https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6
https://github.com/advisories/GHSA-g8ph-74m6-8m7r
https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###