Information Exposure Through an Error Message in clickhouse-java - CVE-2024-23689

 

Information Exposure Through an Error Message in clickhouse-java - CVE-2024-23689

Published: October 15, 2024


Vulnerability identifier: #VU98554
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23689
CWE-ID: CWE-209
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: ClickHouse
Affected software:
clickhouse-java

Detailed vulnerability description

The vulnerability allows a local user to gain access to client certificate passwords.

The vulnerability occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message. A local user can trick the victim into opening a specially crafted file and gain access to client certificate passwords via client exception logs


How to mitigate CVE-2024-23689

Install updates from vendor's website.

Sources