CVE-2023-48298 MEDIUM

CVE-2023-48298: Integer underflow leading to stack overflow in FPC codec decompression

Vendor Clickhouse
Product ClickHouse
Weakness CWE-191
Published December 21, 2023
Last update November 27, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. This vulnerability is an integer underflow resulting in crash due to stack buffer overflow in decompression of FPC codec. It can be triggered and exploited by an unauthenticated attacker. The vulnerability is very similar to CVE-2023-47118 with how the vulnerable function can be exploited.

Key dates

02Disclosure timeline

December 21, 2023 CVE published
November 27, 2024 Record updated