CVE-2020-26759: Arbitrary code execution in clickhouse-driver

April 7, 2021 (updated September 13, 2024)

clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.

References

github.com/advisories/GHSA-vgv5-cxvh-vfxh
github.com/mymarilyn/clickhouse-driver
github.com/mymarilyn/clickhouse-driver/commit/3e990547e064b8fca916b23a0f7d6fe8c63c7f6b
github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598
github.com/pypa/advisory-database/tree/main/vulns/clickhouse-driver/PYSEC-2021-61.yaml
nvd.nist.gov/vuln/detail/CVE-2020-26759

Detect and mitigate CVE-2020-26759 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →