CVE-2021-42387
HIGH8.1EPSS 0.24%clickhouse - security update
Published: 3/14/2022Modified: 4/28/2026
Description
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation.
Affected packages (2)
- Debian/clickhousefrom 0, < 18.16.1+ds-7.2+deb11u1
- Debian/clickhousefrom 0, < 18.16.1+ds-4+deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |