CVE-2024-23689
CVSS V2 None
CVSS V3 None
Description
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
Overview
- CVE ID
- CVE-2024-23689
- Assigner
- VulnCheck
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-01-19T21:02:29.558Z
- Last Modified Date
- 2024-01-19T21:02:29.558Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r | vendor-advisory |
| https://github.com/ClickHouse/clickhouse-java/issues/1331 | issue-tracking |
| https://github.com/ClickHouse/clickhouse-java/pull/1334 | patch |
| https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6 | related |
| https://github.com/advisories/GHSA-g8ph-74m6-8m7r | third-party-advisory |
| https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r | third-party-advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-23689 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23689 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 07:02:25 | Added to TrackCVE |