Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
References
Link | Resource |
---|---|
https://github.com/ClickHouse/clickhouse-java/issues/1331 | Exploit Issue Tracking |
https://github.com/ClickHouse/clickhouse-java/pull/1334 | Issue Tracking Patch |
https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6 | Release Notes |
https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r | Vendor Advisory |
https://github.com/advisories/GHSA-g8ph-74m6-8m7r | Third Party Advisory |
https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: VulnCheck
Published: 2024-01-19T21:02:29.558Z
Updated: 2024-01-19T21:02:29.558Z
Reserved: 2024-01-19T17:35:14.200Z
Link: CVE-2024-23689
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-19T21:15:10.520
Modified: 2024-01-26T14:50:45.023
Link: CVE-2024-23689
JSON object: View
Redhat Information
No data.
CWE