CVE-2023-48298: 
NixOS vulnerability analysis and mitigation

ClickHouse, an open-source column-oriented database management system for generating analytical data reports in real-time, was found to contain a vulnerability identified as CVE-2023-48298. The vulnerability was discovered in December 2023 and involves an integer underflow that results in a crash due to stack buffer overflow in the decompression of FPC codec. This vulnerability affects multiple versions of ClickHouse including versions 23.3 through 23.3.17.13, 23.8 through 23.8.7.24, 23.9 through 23.9.5.29, and 23.10 through 23.10.4.25 (NVD, GitHub Advisory).

The vulnerability is characterized by an integer underflow condition that leads to a stack buffer overflow during the decompression process of the FPC codec. The issue is similar in exploitation method to CVE-2023-47118. According to the National Vulnerability Database, this vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST and 5.9 (MEDIUM) from GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be triggered and exploited by an unauthenticated attacker, potentially leading to a system crash through a stack buffer overflow. The attack primarily affects the availability of the system, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in ClickHouse versions v23.10.4.25, v23.9.5.29, v23.8.7.24, and v23.3.17.13. For users unable to immediately upgrade, a recommended workaround is to block native port access and temporarily switch to HTTP protocol to reduce exposure. However, it should be noted that the vulnerability can still be exploited by authenticated users even with this workaround in place (GitHub Advisory).