Arbitrary Symbol Injection in ClickHouse remote Table Function Leading to Cross Protocol Request Forgery Attacks

Arbitrary Symbol Injection in ClickHouse remote Table Function Leading to Cross Protocol Request Forgery Attacks

CVE-2018-14668 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.

Learn more about our User Device Pen Test.