logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-35980 org.opensearch.plugin:opensearch-security

Package

Manager: maven
Name: org.opensearch.plugin:opensearch-security
Vulnerable Version: >=2.0.0.0 <2.2.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00338 pctl0.55895

Details

OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information ### Impact Requests to an OpenSearch cluster configured with advanced access control features ([document level security (DLS)](https://opensearch.org/docs/latest/security-plugin/access-control/document-level-security/), [field level security (FLS)](https://opensearch.org/docs/latest/security-plugin/access-control/field-level-security/), and/or [field masking](https://opensearch.org/docs/latest/security-plugin/access-control/field-masking/)) will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. ### Patches OpenSearch 2.2.0+ contains the fix for this issue. OpenSearch Security Plugin 2.2.0.0 is compatible with OpenSearch 2.2.0. ### Workarounds There is no recommended work around. ### References See pull request #1999 for additional details. ### For more information If you have any questions or comments about this advisory we ask that contact AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.

Metadata

Created: 2022-08-12T17:31:58Z
Modified: 2022-08-12T17:50:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f4qr-f4xx-hjxw/GHSA-f4qr-f4xx-hjxw.json
CWE IDs: ["CWE-612"]
Alternative ID: GHSA-f4qr-f4xx-hjxw
Finding: F086
Auto approve: 1