CVE-2024-23689 in r2dbcinfo

Summary

by MITRE • 01/19/2024

Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/29/2025

The vulnerability identified as CVE-2024-23689 represents a critical security flaw in ClickHouse's Java database connectivity libraries, specifically affecting versions prior to 0.4.6 of clickhouse-r2dbc, clickhouse-jdbc, and clickhouse-client components. This issue stems from improper exception handling practices that inadvertently expose sensitive credential information within log output, creating a significant attack surface for unauthorized parties seeking to compromise database security. The vulnerability manifests when client certificate authentication is employed through the sslkey parameter, where the system fails to sanitize exception messages before logging them to disk or console output.

The technical implementation of this vulnerability occurs at the exception handling layer within ClickHouse's JDBC and R2DBC drivers, where internal error conditions trigger the throwing of ClickHouseException or SQLException objects. When these exceptions are generated during database operations involving SSL certificate authentication, the underlying exception messages contain unredacted certificate passwords that are subsequently written to system logs. This behavior directly violates fundamental security principles of information hiding and privilege separation, as sensitive authentication material becomes accessible through standard logging mechanisms that are typically not protected from unauthorized access. The flaw is classified under CWE-209, which specifically addresses the exposure of exception information that could reveal sensitive system details to attackers.

The operational impact of this vulnerability extends beyond simple credential exposure, as it provides attackers with the capability to escalate their privileges and gain unauthorized access to database resources. When an attacker can access exception logs containing certificate passwords, they can bypass normal authentication mechanisms and directly connect to the ClickHouse database using legitimate client certificates. This creates a persistent threat vector that can remain active until the affected software is updated, potentially allowing for data exfiltration, modification of database contents, or complete system compromise. The vulnerability is particularly concerning in enterprise environments where database logging is enabled by default and may be accessible to multiple system administrators or security monitoring tools.

Mitigation strategies for CVE-2024-23689 primarily involve immediate software upgrades to versions 0.4.6 or later, which contain proper exception sanitization mechanisms that prevent sensitive information from appearing in logged error messages. Organizations should also implement comprehensive log monitoring and access controls to minimize the potential impact of any remaining vulnerable systems, ensuring that log files containing sensitive information are properly secured and restricted to authorized personnel only. Additionally, system administrators should review existing exception handling code patterns and implement logging best practices that automatically redact sensitive data from error messages, aligning with ATT&CK technique T1562.001 for privilege escalation through credential access. The vulnerability demonstrates the critical importance of secure coding practices and proper input validation in database connectivity libraries, as highlighted by the ATT&CK framework's emphasis on preventing information disclosure through improper error handling.

Reservation

01/19/2024

Disclosure

01/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00670

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!