Vulnerabilities > Yandex > Clickhouse > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-14 | CVE-2021-42389 | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-42390 | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-42391 | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query. | 5.0 |
2019-12-30 | CVE-2019-15024 | Unspecified vulnerability in Yandex Clickhouse In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. | 4.0 |
2019-10-31 | CVE-2019-18657 | Injection vulnerability in Yandex Clickhouse ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function. | 5.0 |
2019-08-15 | CVE-2018-14672 | Path Traversal vulnerability in Yandex Clickhouse In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages. | 5.0 |
2019-08-15 | CVE-2018-14669 | Information Exposure vulnerability in Yandex Clickhouse ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server. | 5.0 |
2019-08-15 | CVE-2018-14668 | Cross-Site Request Forgery (CSRF) vulnerability in Yandex Clickhouse In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks. | 6.8 |