Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/ClickHouse/ClickHouse: CVE-2023-47118 #2415

Closed
GoVulnBot opened this issue Dec 20, 2023 · 2 comments
Assignees
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-47118 references github.com/ClickHouse/ClickHouse, which may be a Go module.

Description:
ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of T64 codec that crashes the ClickHouse server process. This attack does not require authentication. Note that this exploit can also be triggered via HTTP protocol, however, the attacker will need a valid credential as the HTTP authentication take places first. This issue has been fixed in version 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and 23.3.16.7-lts.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ClickHouse/ClickHouse
      vulnerable_at: 21.1.0-testing+incompatible
      packages:
        - package: ClickHouse
cves:
    - CVE-2023-47118
references:
    - advisory: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v

@jba jba self-assigned this Dec 21, 2023
@jba
Copy link
Contributor

jba commented Jan 3, 2024

The GHSA references the fixing PR, which does not include any Go code.

In fact, there doesn't seem to be any Go code in the repo, except for some diagnostic tools.

@jba jba added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jan 3, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/553636 mentions this issue: data/excluded: batch add 6 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

3 participants