Weaviate OSS Shard Movement API Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Weaviate OSS versions prior to 1.33.4, specifically within the Shard Movement API. This vulnerability arises from inadequate validation of the fileName parameter in the transfer logic. An attacker who can invoke the GetFile method while a shard is in the 'Pause file activity' state, and with access to the FileReplicationService, can exploit this flaw to read arbitrary files accessible to the service process. The vulnerability requires that the Shard Movement API is enabled and that shards are paused, allowing for exploitation by manipulating the fileName parameter to traverse directories and access restricted files.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of sensitive files within Weaviate's privilege scope, potentially exposing confidential information or application data.

Reproduction

To reproduce this vulnerability, first ensure that a Weaviate instance is running a version prior to 1.33.4 and that the Shard Movement API is enabled. Pause file activity on a shard, then call the GetFile method with a crafted fileName parameter that includes parent-directory traversal sequences or absolute paths. This will bypass the intended directory restrictions and allow access to arbitrary files within the service process's privilege scope.

Remediation

Users can update Weaviate to version 1.33.4 or later to address this vulnerability. If an immediate update is not possible, the Shard Movement API can be disabled by setting the 'REPLICA_MOVEMENT_ENABLED' flag to false.