Skip to content

Instantly share code, notes, and snippets.

@ycybfhb
Created August 9, 2024 08:14
Show Gist options
  • Save ycybfhb/db127ae9d105a4d20edc9f010a959016 to your computer and use it in GitHub Desktop.
Save ycybfhb/db127ae9d105a4d20edc9f010a959016 to your computer and use it in GitHub Desktop.
[CVE ID]
CVE-2024-41436
[PRODUCT]
ClickHouse
[VERSION]
v24.3.3.102
[PROBLEM TYPE]
buffer overflow
[DESCRIPTION]
ClickHouse v24.3.3.102 was discovered to contain a buffer overflow vulnerability,
which could lead to database crashes and denial of service attacks.
The issue here is that 'DB::evaluateConstantExpressionImpl' uses the old analyzer unconditionally.
This function should be rewritten to support 'allow_experimental_analyzer' setting.
[Reference]
https://github.com/ClickHouse/ClickHouse/issues/65520
[Discoverer]
Jiaju Bai, Zixuan Fu, Hongbo Feng, Jianwei Liu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment