x/vulndb: potential Go vuln in github.com/ClickHouse/ClickHouse: CVE-2023-48298

[GoVulnBot]

CVE-2023-48298 references github.com/ClickHouse/ClickHouse, which may be a Go module.

Description:
ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. This vulnerability is an integer underflow resulting in crash due to stack buffer overflow in decompression of FPC codec. It can be triggered and exploited by an unauthenticated attacker. The vulnerability is very similar to CVE-2023-47118 with how the vulnerable function can be exploited.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-48298
• JSON: https://github.com/CVEProject/cvelist/tree/f2f6707f93d40cb6fe5c7a9006ca8cdb84fe73f3/2023/48xxx/CVE-2023-48298.json
• advisory: GHSA-qw9f-qv29-8938
• fix: Fix crash in FPC codec ClickHouse/ClickHouse#56795
• Imported by: https://pkg.go.dev/github.com/ClickHouse/ClickHouse?tab=importedby

Cross references:

• Module github.com/ClickHouse/ClickHouse appears in issue x/vulndb: potential Go vuln in github.com/ClickHouse/ClickHouse: CVE-2019-18657 #2246 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ClickHouse/ClickHouse
      vulnerable_at: 21.1.0-testing+incompatible
      packages:
        - package: ClickHouse
cves:
    - CVE-2023-48298
references:
    - advisory: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
    - fix: https://github.com/ClickHouse/ClickHouse/pull/56795

[jba]

The only Go code in this repo is for diagnostic tools.

[gopherbot]

Change https://go.dev/cl/553636 mentions this issue: data/excluded: batch add 6 excluded reports