Product Research Enterprise Plans Docs

PyPi: Milvus

CVE-2023-28432

Transitive

Safety vulnerability ID: 58975

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 22, 2023 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Milvus 2.2.6 (lightweight version of Milvus) includes a binary of Milvus version 2.2.5, that includes a security fix.
https://github.com/milvus-io/milvus-lite/commit/4aa88881e44c91b6e1c5e89f3a88e61c80054eff
https://github.com/milvus-io/milvus/issues/22980

Affected package

milvus

Latest version: 2.3.9

Embeded Milvus

Affected versions

Fixed versions

Vulnerability changelog

Milvus 2.2.9 has added JSON support, allowing for more flexible schemas within collections through dynamic schemas. The search efficiency has been improved through partition keys, which enable data separation for different data categories, such as multiple users, in a single collection. Additionally, database support has been integrated into Role-Based Access Control (RBAC), further fortifying multi-tenancy management and security. Support has also been extended to Alibaba Cloud OSS, and connection management has been refined, resulting in an improved user experience.

As always, this release includes bug fixes, enhancements, and performance improvements. Notably, disk usage has been significantly reduced, and performance has been improved, particularly for filtered searches.

We hope you enjoy the latest release!

New Features

- JSON support

- Introduced JSON data type ([23839](https://github.com/milvus-io/milvus/pull/23839)).
- Added support for expressions with JSON fields ([23804](https://github.com/milvus-io/milvus/pull/23804), [#24016](https://github.com/milvus-io/milvus/pull/24016)).
- Enabled JSON support for bulk insert operations ([24227](https://github.com/milvus-io/milvus/pull/24227)).
- Enhanced performance of filters using JSON fields ([24268](https://github.com/milvus-io/milvus/pull/24268), [#24282](https://github.com/milvus-io/milvus/pull/24282)).

- Dynamic schema

- Added dynamic schema support ([24062](https://github.com/milvus-io/milvus/pull/24062), [#24176](https://github.com/milvus-io/milvus/pull/24176), [#24205](https://github.com/milvus-io/milvus/pull/24205), [#24099](https://github.com/milvus-io/milvus/pull/24099)).
- Enabled dynamic fields in bulk insert operations ([24265](https://github.com/milvus-io/milvus/pull/24265)).

- Partition key

- Introduced partition key ([23994](https://github.com/milvus-io/milvus/pull/23994)).
- Added support for imports when partition key is enabled and backup is present ([24454](https://github.com/milvus-io/milvus/pull/24454)).
- Added unit tests for partition key ([24167](https://github.com/milvus-io/milvus/pull/24167)).
- Resolved issue with bulk insert not supporting partition key ([24328](https://github.com/milvus-io/milvus/pull/24328)).

- Database support in RBAC

- Added database support in Role-Based Access Control (RBAC) ([23742](https://github.com/milvus-io/milvus/pull/23742)).
- Resolved non-existent database error for FlushAll function ([24222](https://github.com/milvus-io/milvus/pull/24222)).
- Implemented default database value for RBAC requests ([24307](https://github.com/milvus-io/milvus/pull/24307)).
- Ensured backward compatibility with empty database name ([24317](https://github.com/milvus-io/milvus/pull/24317)).

- Connection management

- Implemented the connect API to manage connections ([24224](https://github.com/milvus-io/milvus/pull/24224)) ([#24293](https://github.com/milvus-io/milvus/pull/24293))
- Implemented checks if a database exists when Connect was called ([24399](https://github.com/milvus-io/milvus/pull/24399))

- Alibaba Cloud OSS support

- Added support for Aliyun OSS in chunk manager ([22663](https://github.com/milvus-io/milvus/pull/22663), [#22842](https://github.com/milvus-io/milvus/pull/22842), [#23956](https://github.com/milvus-io/milvus/pull/23956)).
- Enabled Alibaba Cloud OSS as object storage using access key (AK) or Identity and Access Management (IAM) ([23949](https://github.com/milvus-io/milvus/pull/23949)).

- Additional features

- Implemented AutoIndex ([24387](https://github.com/milvus-io/milvus/pull/24387), [#24443](https://github.com/milvus-io/milvus/pull/24443)).
- Added configurable policy for query node and user-level schedule policy ([23718](https://github.com/milvus-io/milvus/pull/23718)).
- Implemented rate limit based on growing segment size ([24157](https://github.com/milvus-io/milvus/pull/24157)).
- Added support for single quotes within string expressions ([24386](https://github.com/milvus-io/milvus/pull/24386), [#24406](https://github.com/milvus-io/milvus/pull/24406)).

Bug fixes

- Added temporary disk data cleaning upon the start of Milvus ([24400](https://github.com/milvus-io/milvus/pull/24400)).
- Fixed crash issue of bulk insert caused by an invalid Numpy array file ([24480](https://github.com/milvus-io/milvus/pull/24480)).
- Fixed an empty result set type for Int8~Int32 ([23851](https://github.com/milvus-io/milvus/pull/23851)).
- Fixed the panic that occurs while balancing releasing a collection ([24003](https://github.com/milvus-io/milvus/pull/24003)) ([#24070](https://github.com/milvus-io/milvus/pull/24070)).
- Fixed an error that occurs when a role removes a user that has already been deleted ([24049](https://github.com/milvus-io/milvus/pull/24049)).
- Fixed an issue where session stop/goingStop becomes stuck after a lost connection ([23771](https://github.com/milvus-io/milvus/pull/23771)).
- Fixed the panic caused by incorrect logic of getting unindexed segments ([24061](https://github.com/milvus-io/milvus/pull/24061)).
- Fixed the panic that occurs when a collection does not exist in quota effect ([24321](https://github.com/milvus-io/milvus/pull/24321)).
- Fixed an issue where refresh may be notified as finished early ([24438](https://github.com/milvus-io/milvus/pull/24438)) ([#24466](https://github.com/milvus-io/milvus/pull/24466)).

Enhancement

- Added an error response to return when an unimplemented request is received ([24546](https://github.com/milvus-io/milvus/pull/24546))
- Reduced disk usage for Milvus Lite and Standalone:

- Refine RocksDB option ([24394](https://github.com/milvus-io/milvus/pull/24394))
- Fix RocksMQ retention not triggering at DataCoord timetick channel ([24134](https://github.com/milvus-io/milvus/pull/24134))

- Optimized quota to avoid OOM on search
- Added consistency_level in search/query request ([24541](https://github.com/milvus-io/milvus/pull/24541))
- (pr24562) Supported search with default parameters ([24516](https://github.com/milvus-io/milvus/pull/24516))
- Put DataNode load statslog lazy if SkipBFStatsLog is true ([23779](https://github.com/milvus-io/milvus/pull/23779))
- Put QueryNode lazy load statslog if SkipBFLoad is true ([23904](https://github.com/milvus-io/milvus/pull/23904))
- Fixed concurrent map read/write in rate limiter ([23957](https://github.com/milvus-io/milvus/pull/23957))
- Improved load/release performance:

- Implemented more frequent CollectionObserver checks to trigger during load procedure ([23925](https://github.com/milvus-io/milvus/pull/23925))
- Implemented checks to trigger while waiting for collection/partition to be released ([24535](https://github.com/milvus-io/milvus/pull/24535))

- Optimized PrivilegeAll permission check ([23972](https://github.com/milvus-io/milvus/pull/23972))
- Fixed the "not shard leader" error when gracefully stopping ([24038](https://github.com/milvus-io/milvus/pull/24038))
- Checked the overflow for inserted integer ([24142](https://github.com/milvus-io/milvus/pull/24142)) ([#24172](https://github.com/milvus-io/milvus/pull/24172))
- Lowered the task merge cap to mitigate an insufficient memory error ([24233](https://github.com/milvus-io/milvus/pull/24233))
- Removed constraint that prevents creating an index after load ([24415](https://github.com/milvus-io/milvus/pull/24415))
- Removed index check to trigger compaction ([23657](https://github.com/milvus-io/milvus/pull/23657)) ([#23688](https://github.com/milvus-io/milvus/pull/23688))

Performance improvements

- [Enhancement]: Optimize the search performance with high filtering ratio ([23948](https://github.com/milvus-io/milvus/pull/23948)).
- Added SIMD support for several filtering expressions ([23715](https://github.com/milvus-io/milvus/pull/23715), [#23781](https://github.com/milvus-io/milvus/pull/23781)).
- Reduced data copying during insertion into growing segments ([24492](https://github.com/milvus-io/milvus/pull/24492)).

v2.2-testing-20230601
Image: milvusdb/weekly-build:master-20230601-93ea9c49

v2.2-testing-20230529
Image: milvusdb/weekly-build:master-20230529-d8ad09b7

v2.2-testing-20230525
Image: milvusdb/weekly-build:master-20230525-99b7a688

v2.2-testing-20230522
Image: milvusdb/weekly-build:master-20230522-675821c7

v2.2-testing-20230518
Image: milvusdb/weekly-build:master-20230518-7744573d

v2.2-testing-20230515
Image: milvusdb/weekly-build:master-20230515-836b862d

v2.2-testing-20230511
Image: milvusdb/weekly-build:master-20230511-2a6a7a51

v2.2-testing-20230508
Image: milvusdb/weekly-build:master-20230508-ed81eaa9

v2.2-testing-20230504
Image: milvusdb/weekly-build:master-20230504-905ab879

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28432

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE