Vulnerabilities > Yandex > Clickhouse > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-03-14 CVE-2021-42389 Divide By Zero vulnerability in Yandex Clickhouse
Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query.
network
low complexity
yandex CWE-369
4.0
2022-03-14 CVE-2021-42390 Divide By Zero vulnerability in Yandex Clickhouse
Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query.
network
low complexity
yandex CWE-369
4.0
2022-03-14 CVE-2021-42391 Divide By Zero vulnerability in Yandex Clickhouse
Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query.
network
low complexity
yandex CWE-369
5.0
2019-12-30 CVE-2019-15024 Unspecified vulnerability in Yandex Clickhouse
In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper.
network
low complexity
yandex
4.0
2019-10-31 CVE-2019-18657 Injection vulnerability in Yandex Clickhouse
ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function.
network
low complexity
yandex CWE-74
5.0
2019-08-15 CVE-2018-14672 Path Traversal vulnerability in Yandex Clickhouse
In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.
network
low complexity
yandex CWE-22
5.0
2019-08-15 CVE-2018-14669 Information Exposure vulnerability in Yandex Clickhouse
ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.
network
low complexity
yandex CWE-200
5.0
2019-08-15 CVE-2018-14668 Cross-Site Request Forgery (CSRF) vulnerability in Yandex Clickhouse
In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
network
yandex CWE-352
6.8