CVE-2023-48298: Integer underflow leading to stack overflow in FPC codec decompression

5.9 CVSS

Description

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. This vulnerability is an integer underflow resulting in crash due to stack buffer overflow in decompression of FPC codec. It can be triggered and exploited by an unauthenticated attacker. The vulnerability is very similar to CVE-2023-47118 with how the vulnerable function can be exploited.

Classification

CVE ID: CVE-2023-48298

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.9

Affected Products

Vendor: ClickHouse

Product: ClickHouse

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 42.41% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795

Timeline

2024-11-28 00:11:40 UTC
CVE

Integer underflow leading to stack overflow in FPC codec decompression