cvelistv5 - cve-2025-52969

CVE-2025-52969 (GCVE-0-2025-52969)

Vulnerability from cvelistv5

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-07-03T15:20:56.984Z",
        "orgId": "cb7ba516-3b07-4c98-b0c2-715220f1a8f6",
        "shortName": "ClickHouse"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-52969",
    "datePublished": "2025-06-23T00:00:00.000Z",
    "dateRejected": "2025-07-03T15:20:56.984Z",
    "dateReserved": "2025-06-23T00:00:00.000Z",
    "dateUpdated": "2025-07-03T15:20:56.984Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-52969\",\"sourceIdentifier\":\"cb7ba516-3b07-4c98-b0c2-715220f1a8f6\",\"published\":\"2025-06-23T17:15:31.137\",\"lastModified\":\"2025-07-03T16:15:23.710\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}],\"metrics\":{},\"references\":[]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"cb7ba516-3b07-4c98-b0c2-715220f1a8f6\", \"shortName\": \"ClickHouse\", \"dateUpdated\": \"2025-07-03T15:20:56.984Z\"}, \"rejectedReasons\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}], \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}}",
      "cveMetadata": "{\"state\": \"REJECTED\", \"cveId\": \"CVE-2025-52969\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"assignerShortName\": \"mitre\", \"dateUpdated\": \"2025-07-03T15:20:56.984Z\", \"dateReserved\": \"2025-06-23T00:00:00.000Z\", \"datePublished\": \"2025-06-23T00:00:00.000Z\", \"dateRejected\": \"2025-07-03T15:20:56.984Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-354g-72cf-fpqr

Vulnerability from github

Published

2025-06-23 18:30

Modified

2025-06-23 18:30

Severity ?

2.8 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Details

ClickHouse 25.7.1.557 allows low-privileged users to execute shell commands by querying existing Executable() tables created by higher-privileged users. Although the CREATE TABLE privilege is restricted, there is no access control preventing low-privileged users from invoking Executable tables already present in the system. If an attacker can influence the contents of the script referenced by the Executable() engine through writable paths, they may execute controlled commands in the context of the ClickHouse server, leading to privilege escalation and unauthorized code execution. NOTE: the Supplier's position is that these types of executions by low-privileged users are the expected behavior.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-52969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-23T17:15:31Z",
    "severity": "LOW"
  },
  "details": "ClickHouse 25.7.1.557 allows low-privileged users to execute shell commands by querying existing Executable() tables created by higher-privileged users. Although the CREATE TABLE privilege is restricted, there is no access control preventing low-privileged users from invoking Executable tables already present in the system. If an attacker can influence the contents of the script referenced by the Executable() engine through writable paths, they may execute controlled commands in the context of the ClickHouse server, leading to privilege escalation and unauthorized code execution. NOTE: the Supplier\u0027s position is that these types of executions by low-privileged users are the expected behavior.",
  "id": "GHSA-354g-72cf-fpqr",
  "modified": "2025-06-23T18:30:26Z",
  "published": "2025-06-23T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skraft9/clickhouse-security-research"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2025-52969

Vulnerability from fkie_nvd

Published

2025-06-23 17:15

Modified

2025-07-03 16:15

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

References

	URL	Tags

Impacted products

	Vendor	Product	Version