CVE-2023-25806 – org.opensearch.plugin:opensearch-security

Package

Manager: maven
Name: org.opensearch.plugin:opensearch-security
Vulnerable Version: >=0 <1.3.9 || >=2.0.0 <2.6.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00227 pctl0.45365

Details

OpenSearch has time discrepancy in authentication responses ### Impact There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. ### Patches OpenSearch 1.3.9 and 2.6.0 ### Workarounds None. ### References If you have any questions or comments about this advisory, please contact AWS/Amazon Security using our issue reporting page [1] or directly via email [2]. Please do not create a public GitHub issue. [1] AWS Security issue reporting page: https://aws.amazon.com/security/vulnerability-reporting/ [2] AWS Security email: [aws-security@amazon.com](mailto:aws-security@amazon.com)

Metadata

Created: 2023-03-07T17:38:38Z
Modified: 2023-03-07T17:38:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c6wg-cm5x-rqvj/GHSA-c6wg-cm5x-rqvj.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-c6wg-cm5x-rqvj
Finding: F026
Auto approve: 1