Vulnerabilites related to opensearch-project - security
CVE-2022-35980 (GCVE-0-2022-35980)
Vulnerability from cvelistv5
Published
2022-08-12 17:40
Modified
2025-04-23 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-612 - Improper Authorization of Index Containing Sensitive Information
Summary
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: >= 2.0.0.0, <= 2.1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/pull/1999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:52:19.692125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:51:02.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0.0, \u003c= 2.1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query\u0027s search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-612",
"description": "CWE-612: Improper Authorization of Index Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-12T17:40:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensearch-project/security/pull/1999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246"
}
],
"source": {
"advisory": "GHSA-f4qr-f4xx-hjxw",
"discovery": "UNKNOWN"
},
"title": "OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35980",
"STATE": "PUBLIC",
"TITLE": "OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "security",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0.0, \u003c= 2.1.0.0"
}
]
}
}
]
},
"vendor_name": "opensearch-project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query\u0027s search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-612: Improper Authorization of Index Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw",
"refsource": "CONFIRM",
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw"
},
{
"name": "https://github.com/opensearch-project/security/pull/1999",
"refsource": "MISC",
"url": "https://github.com/opensearch-project/security/pull/1999"
},
{
"name": "https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246",
"refsource": "MISC",
"url": "https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246"
}
]
},
"source": {
"advisory": "GHSA-f4qr-f4xx-hjxw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35980",
"datePublished": "2022-08-12T17:40:09.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:51:02.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31141 (GCVE-0-2023-31141)
Vulnerability from cvelistv5
Published
2023-05-08 20:33
Modified
2025-01-29 14:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: >= 1.0.0, < 1.3.10 Version: >= 2.0.0, < 2.7.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:54:15.080834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:54:25.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.3.10"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T20:33:58.601Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h"
}
],
"source": {
"advisory": "GHSA-g8xc-6mf7-h28h",
"discovery": "UNKNOWN"
},
"title": "OpenSearch issue with fine-grained access control during extremely rare race conditions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31141",
"datePublished": "2023-05-08T20:33:58.601Z",
"dateReserved": "2023-04-24T21:44:10.417Z",
"dateUpdated": "2025-01-29T14:54:25.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41918 (GCVE-0-2022-41918)
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2025-04-23 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: <1.3.7 Version: >= 2.0.0, < 2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.553Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:54:27.350734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:37:15.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003c1.3.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-612",
"description": "CWE-612: Improper Authorization of Index Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg"
},
{
"url": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4"
}
],
"source": {
"advisory": "GHSA-wmx7-x4jp-9jgg",
"discovery": "UNKNOWN"
},
"title": "Issue with fine-grained access control of indices backing data streams"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41918",
"datePublished": "2022-11-15T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:37:15.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45807 (GCVE-0-2023-45807)
Vulnerability from cvelistv5
Published
2023-10-16 21:33
Modified
2024-09-13 18:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: < 1.3.14.0 Version: >= 2.0.0.0, < 2.11.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T18:58:24.627153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T18:59:11.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.14.0"
},
{
"status": "affected",
"version": "\u003e= 2.0.0.0, \u003c 2.11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don\u2019t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T21:33:23.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv"
}
],
"source": {
"advisory": "GHSA-72q2-gwwf-6hrv",
"discovery": "UNKNOWN"
},
"title": "OpenSearch Issue with tenant read-only permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45807",
"datePublished": "2023-10-16T21:33:23.124Z",
"dateReserved": "2023-10-13T12:00:50.436Z",
"dateUpdated": "2024-09-13T18:59:11.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23612 (GCVE-0-2023-23612)
Vulnerability from cvelistv5
Published
2023-01-24 20:36
Modified
2025-03-10 21:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: >= 2.0.0, < 2.5.0 Version: < 1.3.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj"
},
{
"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:30.990789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:20:26.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.5.0"
},
{
"status": "affected",
"version": "\u003c 1.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-24T20:36:41.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj"
},
{
"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"
}
],
"source": {
"advisory": "GHSA-864v-6qj7-62qj",
"discovery": "UNKNOWN"
},
"title": "Issue with whitespace in JWT roles in OpenSearch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23612",
"datePublished": "2023-01-24T20:36:41.876Z",
"dateReserved": "2023-01-16T17:07:46.242Z",
"dateUpdated": "2025-03-10T21:20:26.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25806 (GCVE-0-2023-25806)
Vulnerability from cvelistv5
Published
2023-03-02 03:04
Modified
2025-03-05 21:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Observable Timing Discrepancy
Summary
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: < 1.3.9 Version: >= 2.0.0, < 2.6.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.694Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:28:22.405522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:28:42.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.9"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T03:04:26.889Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj"
}
],
"source": {
"advisory": "GHSA-c6wg-cm5x-rqvj",
"discovery": "UNKNOWN"
},
"title": "Time discrepancy in authentication responses in OpenSearch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25806",
"datePublished": "2023-03-02T03:04:26.889Z",
"dateReserved": "2023-02-15T16:34:48.772Z",
"dateUpdated": "2025-03-05T21:28:42.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23613 (GCVE-0-2023-23613)
Vulnerability from cvelistv5
Published
2023-01-24 20:33
Modified
2025-03-10 21:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensearch-project | security |
Version: >= 2.0.0, < 2.5.0 Version: < 1.3.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"
},
{
"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:33.987118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:20:32.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "opensearch-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.5.0"
},
{
"status": "affected",
"version": "\u003c 1.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-24T20:33:55.673Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"
},
{
"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"
}
],
"source": {
"advisory": "GHSA-v3cg-7r9h-r2g6",
"discovery": "UNKNOWN"
},
"title": "Field-level security issue with .keyword fields in OpenSearch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23613",
"datePublished": "2023-01-24T20:33:55.673Z",
"dateReserved": "2023-01-16T17:07:46.242Z",
"dateUpdated": "2025-03-10T21:20:32.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}