Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ClickHouse's Role-based Access Control is bypassed when query caching is enabled.
Vulnerability Description
ClickHouse is an open-source column-oriented database management system. A bug exists in the cloud ClickHouse offering prior to version 24.0.2.54535 and in github.com/clickhouse/clickhouse version 23.1. Query caching bypasses the role based access controls and the policies being enforced on roles. In affected versions, the query cache only respects separate users, however this is not documented and not expected behavior. People relying on ClickHouse roles can have their access control lists bypassed if they are using query caching. Attackers who have control of a role could guess queries and see data they shouldn't have access to. Version 24.1 of ClickHouse and version 24.0.2.54535 of ClickHouse Cloud contain a patch for this issue. Based on the documentation, role based access control should be enforced regardless if query caching is enabled or not.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
ClickHouse 安全漏洞
Vulnerability Description
ClickHouse是ClickHouse公司的用于实时应用程序和分析的速度最快、资源效率最高的开源数据库。 ClickHouse 24.1之前、ClickHouse Cloud 24.0.2.54535 之前版本存在安全漏洞,该漏洞源于当启用查询缓存后,访问控制将被绕过。
CVSS Information
N/A
Vulnerability Type
N/A