Path traversal in ClickHouse - CVE-2018-14672
Published: August 15, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30822
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-14672
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ClickHouse
Affected software:
ClickHouse
ClickHouse
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.
How to mitigate CVE-2018-14672
Install update from vendor's website.