CVE 2018-14672

In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

See the CVE page on Mitre.org for more details.