| id: GO-2023-2017 |
| modules: |
| - module: github.com/weaviate/weaviate |
| versions: |
| - fixed: 1.18.6 |
| - introduced: 1.19.0 |
| fixed: 1.19.13 |
| - introduced: 1.20.0 |
| fixed: 1.20.6 |
| vulnerable_at: 1.20.5 |
| packages: |
| - package: github.com/weaviate/weaviate/adapters/handlers/rest |
| symbols: |
| - handleUnbatchedGraphQLRequest |
| derived_symbols: |
| - Server.ConfigureAPI |
| - Server.Serve |
| - Server.SetAPI |
| summary: Denial of service vulnerability in github.com/weaviate/weaviate |
| description: |- |
| A type conversion issue in Weaviate may allow a remote attack that would cause a |
| denial of service. |
| cves: |
| - CVE-2023-38976 |
| ghsas: |
| - GHSA-8697-479h-5mfp |
| references: |
| - advisory: https://github.com/weaviate/weaviate/security/advisories/GHSA-8697-479h-5mfp |
| - report: https://github.com/weaviate/weaviate/issues/3258 |
| - fix: https://github.com/weaviate/weaviate/pull/3431 |
| - fix: https://github.com/weaviate/weaviate/commit/2a7b208d9aca07e28969e3be82689c184ccf9118 |
| - web: https://github.com/weaviate/weaviate/releases/tag/v1.18.6 |
| - web: https://github.com/weaviate/weaviate/releases/tag/v1.19.13 |
| - web: https://github.com/weaviate/weaviate/releases/tag/v1.20.6 |
| review_status: REVIEWED |