CVE-2024-23689: ClickHouse vulnerable to client certificate password exposure in client exception
(updated )
As initially reported in issue #1331, when client certificate authentication is enabled with password protection, the password (referred to as the client option sslkey) may be exposed in client exceptions (e.g., ClickHouseException or SQLException). This vulnerability can potentially lead to unauthorized access, data breaches, and violations of user privacy.
References
- github.com/ClickHouse/clickhouse-java
- github.com/ClickHouse/clickhouse-java/issues/1331
- github.com/ClickHouse/clickhouse-java/pull/1334
- github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6
- github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r
- github.com/advisories/GHSA-g8ph-74m6-8m7r
- nvd.nist.gov/vuln/detail/CVE-2024-23689
- vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r
Code Behaviors & Features
Detect and mitigate CVE-2024-23689 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →