CVE-2023-48704: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2023-48704) was discovered in ClickHouse, an open-source column-oriented database management system. The vulnerability was discovered in December 2023 and affects the ClickHouse server's decompression logic of the Gorilla codec. The affected versions include ClickHouse Cloud versions below 23.9.2.47551, and ClickHouse versions prior to 23.10.5.20, 23.3.18.15, 23.8.8.20, and 23.9.6.20 (NVD, GitHub Advisory).

The vulnerability is a heap buffer overflow issue in the decompression logic of the Gorilla codec. The flaw is exposed through the native interface on port 9000/tcp by default. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and 7.0 HIGH by GitHub (vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H). The weakness is classified under CWE-787 (Out-of-bounds Write), CWE-120 (Buffer Copy without Checking Size of Input), and CWE-122 (Heap-based Buffer Overflow) (NVD).

When exploited, the vulnerability allows an attacker to crash the ClickHouse server process by sending a specially crafted payload to the native interface. The attack can lead to service disruption and potential system instability (GitHub Advisory).

The vulnerability has been patched in ClickHouse Cloud version 23.9.2.47551 and ClickHouse versions 23.10.5.20, 23.3.18.15, 23.8.8.20, and 23.9.6.20. As a temporary workaround, users are advised to block native port access and switch to HTTP protocol to reduce exposure before upgrading to supported versions (GitHub Advisory, GitHub PR).

The vulnerability was discovered and reported by security researcher malacupa through the ClickHouse Bug Bounty Program (GitHub PR).