Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/weaviate/weaviate
versions:
- fixed: 1.18.6
vulnerable_at: 1.18.5
packages:
- package: github.com/weaviate/weaviate
- module: github.com/weaviate/weaviate
versions:
- introduced: 1.19.0
fixed: 1.19.13
vulnerable_at: 1.19.12
packages:
- package: github.com/weaviate/weaviate
- module: github.com/weaviate/weaviate
versions:
- introduced: 1.20.0
fixed: 1.20.6
vulnerable_at: 1.20.5
packages:
- package: github.com/weaviate/weaviate
summary: Weaviate denial of service vulnerability
description: |-
### Impact This vulnerability is a type conversion issue that affects users of
Weaviate Server versions 1.20.0 and earlier. Who is impacted: Users of Weaviate
Server versions 1.20.0 and earlier are impacted by this vulnerability.
### Patches A patch has been developed for this vulnerability. Patch releases
1.20.6, 1.19.13, and 1.18.6 are fixing this vulnerability in each respective
minor version release. Users are strongly recommended to upgrade to one of these
patched versions to address the vulnerability. Keeping software up-to-date is
crucial to avoid security vulnerabilities.
### Workarounds There are no known workarounds to fix or remediate this
vulnerability without upgrading. Users must upgrade to a patched version to
mitigate the risk.
### References
* https://github.com/weaviate/weaviate/releases/tag/v1.18.6
* https://github.com/weaviate/weaviate/releases/tag/v1.19.13
* https://github.com/weaviate/weaviate/releases/tag/v1.20.6
cves:
- CVE-2023-38976
ghsas:
- GHSA-8697-479h-5mfp
references:
- advisory: https://github.com/weaviate/weaviate/security/advisories/GHSA-8697-479h-5mfp
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-38976
- report: https://github.com/weaviate/weaviate/issues/3258
- fix: https://github.com/weaviate/weaviate/pull/3431
- fix: https://github.com/weaviate/weaviate/commit/2a7b208d9aca07e28969e3be82689c184ccf9118
- web: https://github.com/weaviate/weaviate/releases/tag/v1.18.6
- web: https://github.com/weaviate/weaviate/releases/tag/v1.19.13
- web: https://github.com/weaviate/weaviate/releases/tag/v1.20.6
- advisory: https://github.com/advisories/GHSA-8697-479h-5mfp
In GitHub Security Advisory GHSA-8697-479h-5mfp, there is a vulnerability in the following Go packages or modules:
Cross references: No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.