216.73.217.139

CVE-2025-1385

· Published 20/03/2025 08:15 · Modified 20/03/2025 08:15

Labels: CVE-2025-1385 2025-03-20CVE-2025-1385CWE-20cb7ba516-3b07-4c98-b0c2-715220f1a8f6

Essential information

Published
20/03/2025 08:15
Modified
20/03/2025 08:15
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server. You can check if your ClickHouse server is vulnerable to this vulnerability by inspecting the configuration file and confirming if the following setting is enabled: <library_bridge> <port>9019</port> </library_bridge>

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
cb7ba516-3b07-4c98-b0c2-715220f1a8f6
NVD
View on NVD

Affected products (CPE)

ProductCPE
clickhouse / clickhouse-server cpe:2.3:a:clickhouse:clickhouse-server:*:*:*:*:*:*:*:*

References