GHSA-rrmm-wq7q-h4v5 – org.opensearch.plugin:opensearch-security

Package

Manager: maven
Name: org.opensearch.plugin:opensearch-security
Vulnerable Version: >=0 <2.19.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape ### Impact OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types `ip`, `geo_point`, `geo_shape`, `xy_point`, `xy_shape`. While the content of these fields is properly redacted in the `_source` document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries. Additionally, the content of fields of type `geo_point`, `geo_shape`, `xy_point`, `xy_shape` is returned in an unredacted form if requested via the `fields` option of the search API. ### Patches The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3. ### Workarounds If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.

Metadata

Created: 2025-08-01T18:15:00Z
Modified: 2025-08-01T18:15:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-rrmm-wq7q-h4v5/GHSA-rrmm-wq7q-h4v5.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F038
Auto approve: 1