search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
559 stars 56 forks source link

x/vulndb: potential Go vuln in github.com/weaviate/weaviate: GHSA-8697-479h-5mfp #2017

Closed GoVulnBot closed 10 months ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-8697-479h-5mfp, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/weaviate/weaviate 1.18.6 < 1.18.6 github.com/weaviate/weaviate 1.19.13 >= 1.19.0, < 1.19.13 github.com/weaviate/weaviate 1.20.6 >= 1.20.0, < 1.20.6

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/weaviate/weaviate
      versions:
        - fixed: 1.18.6
      vulnerable_at: 1.18.5
      packages:
        - package: github.com/weaviate/weaviate
    - module: github.com/weaviate/weaviate
      versions:
        - introduced: 1.19.0
          fixed: 1.19.13
      vulnerable_at: 1.19.12
      packages:
        - package: github.com/weaviate/weaviate
    - module: github.com/weaviate/weaviate
      versions:
        - introduced: 1.20.0
          fixed: 1.20.6
      vulnerable_at: 1.20.5
      packages:
        - package: github.com/weaviate/weaviate
summary: Weaviate denial of service vulnerability
description: |-
    ### Impact This vulnerability is a type conversion issue that affects users of
    Weaviate Server versions 1.20.0 and earlier. Who is impacted: Users of Weaviate
    Server versions 1.20.0 and earlier are impacted by this vulnerability.

    ### Patches A patch has been developed for this vulnerability. Patch releases
    1.20.6, 1.19.13, and 1.18.6 are fixing this vulnerability in each respective
    minor version release. Users are strongly recommended to upgrade to one of these
    patched versions to address the vulnerability. Keeping software up-to-date is
    crucial to avoid security vulnerabilities.

    ### Workarounds There are no known workarounds to fix or remediate this
    vulnerability without upgrading. Users must upgrade to a patched version to
    mitigate the risk.

    ### References
    * https://github.com/weaviate/weaviate/releases/tag/v1.18.6
    * https://github.com/weaviate/weaviate/releases/tag/v1.19.13
    * https://github.com/weaviate/weaviate/releases/tag/v1.20.6
cves:
    - CVE-2023-38976
ghsas:
    - GHSA-8697-479h-5mfp
references:
    - advisory: https://github.com/weaviate/weaviate/security/advisories/GHSA-8697-479h-5mfp
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-38976
    - report: https://github.com/weaviate/weaviate/issues/3258
    - fix: https://github.com/weaviate/weaviate/pull/3431
    - fix: https://github.com/weaviate/weaviate/commit/2a7b208d9aca07e28969e3be82689c184ccf9118
    - web: https://github.com/weaviate/weaviate/releases/tag/v1.18.6
    - web: https://github.com/weaviate/weaviate/releases/tag/v1.19.13
    - web: https://github.com/weaviate/weaviate/releases/tag/v1.20.6
    - advisory: https://github.com/advisories/GHSA-8697-479h-5mfp
gopherbot commented 10 months ago

Change https://go.dev/cl/539275 mentions this issue: data/reports: add GO-2023-2017.yaml