CVE-2022-41917
- Source
- https://cve.org/CVERecord?id=CVE-2022-41917
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41917.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-41917
- Aliases
-
- GHSA-w3rx-m34v-wrqx
- Published
- 2022-11-15T00:00:00Z
- Modified
- 2026-04-12T03:22:13.789466Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch
- Details
-
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41917.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41917.json
- https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-w3rx-m34v-wrqx
- https://nvd.nist.gov/vuln/detail/CVE-2022-41917
- https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0
Affected packages
Git / github.com/opensearch-project/opensearch
Affected ranges
Affected versions
1.*
1.0.0-alpha1
1.0.0-alpha2
1.0.0-beta1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
Database specific
vanir_signatures_modified
"2026-04-12T03:22:13Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41917.json"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"17048627438651915533651276816066902179",
"149934693698988820616703394443513603029",
"146006305977508471690722198244677831683",
"240788330656112570864437071551249202163",
"152711017821107095246159710284433270316",
"31568332359611237168031862415414657238",
"270757614022594935714794753590482693846",
"147269456921227182556343515014686265985",
"28069109890100354480759383087192602283",
"169803860550469453098135583702200124325",
"304876052520787136705241555141933591828",
"26361391883713761824559006177780922007",
"34615098146099423752585691879625868545",
"138070543556261093825750031169359055538",
"39469342667864200491547007218788408392",
"50187936608899266810208887845122098627",
"59534714994198773360918658895498455238",
"23915349231978591387591152578268158566",
"280377130898672602482385272265613631449",
"67634621076812657446984530232990775724",
"177084852865742895149805802473831656081",
"278606514847167371652359529281480540325",
"209826223393783303436874919998024456803",
"133045506598400400252127350349703619132",
"122345375850081149632681595065651079699",
"72177723099378191855607625409385513863",
"33402974758347124635599450191903132369",
"207937607897238205511138022631175747841",
"34883721161956316783646418829305407740",
"194391426585217133077138667830773754965",
"194081300367898935646450443194943641754",
"288409596071384630216693843562070203379",
"216086512715070672518706067905168842212",
"309673774960644042388859631219576171583",
"159729888933527805760530388845727047285",
"325009052105012417984003912243220128637",
"314779181712407588552528523415963479862",
"274923833791052264272509837526384913643",
"8815297127135672680576973535293465689",
"132761030311568202745053924792387187089",
"202195023701641583966594578788921008128",
"61531972601589059403337303544233949482",
"102592365368395643746533626616208175397",
"212262579722479814407692495225684332863",
"39539486003013522049608937787611466393",
"246476676816137247473831962818237448026",
"335009558084391116747953582065464974864",
"123133674041330844459310121585741650810",
"10845464845800182800930478827899156756",
"82354483932027163043918231973686500309",
"100381715971144982694976537281485979895",
"155352436137415831665578477263618609601",
"95491293699046982585770086414228047956",
"188891531721186369487323952309948663828",
"279137084820016730480753291199418815614",
"164496307841070179657773006934556754404",
"125235467816935585620280476789153445936",
"106976968521014027950565027855516291338",
"294783748254981201410023940614038535312",
"197891360471463700242782738017267289629",
"215843620904314785241951087549239462918",
"283076657572558445909752483752179632622",
"204906379781621035441833925514356134887",
"14973599023740517374568784902304568022",
"310471899262468619281775099588120822972",
"116273437404207121054980488101993981544",
"251627273515457659877272627416849203930",
"173908992094598158569317543287135602761",
"83149265597370038969245635014808694140",
"193586799978581750804093513761513619606"
]
},
"target": {
"file": "server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-7e5837e2",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
},
{
"digest": {
"length": 471.0,
"function_hash": "13364759679334999557378171629924440638"
},
"target": {
"file": "server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java",
"function": "reconstructArrayXContent"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-96751c7d",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
},
{
"digest": {
"length": 247.0,
"function_hash": "48399475011060540466766896048124358509"
},
"target": {
"file": "server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java",
"function": "createParser"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-b5d5e397",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"170494040449943166722294887993724282923",
"71503735865927709349329228653077700459",
"38097828152124527898574682978502692851",
"2324650910766934694111590988961238676",
"88112275390130018182485768905379614948",
"311019332360114647262887612165227593368",
"217375664822843649988019698342119348462",
"198806002937892200415775290128948927099"
]
},
"target": {
"file": "server/src/test/java/org/opensearch/index/mapper/GeoPointFieldMapperTests.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-cd4c1c66",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
},
{
"digest": {
"length": 417.0,
"function_hash": "248921983859889504221658662936103872006"
},
"target": {
"file": "server/src/test/java/org/opensearch/index/mapper/GeoPointFieldMapperTests.java",
"function": "testLatLonInArrayMoreThanThreeValues"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-e2f6be2f",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
},
{
"digest": {
"length": 998.0,
"function_hash": "40675771172524671681349395243778069239"
},
"target": {
"file": "server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java",
"function": "parse"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-ff70d01f",
"source": "https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c"
}
]
Git / github.com/opensearch-project/security
Database specific
vanir_signatures_modified
"2026-04-12T03:22:13Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41917.json"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"190802608251876723695708323815294798331",
"159406922189635889326075075414716807852",
"164487096438305919280300123055628806148",
"258208411350990867880503156928978156126",
"182745036320457048373697753478831981211",
"17165779382262712744817156828346306604",
"330447875107470999044063650182518584429",
"15026532455737383454346910345973196471",
"126453835876486614891207840059575025646",
"176032099326614279352436648928177379106",
"187664735698750655791313124692193036867",
"308083681216149547805348768138620704794",
"245688700287395083048807384280175191088",
"11715067545084007430906719122946934852",
"83266720936271841411945279822828016372",
"26454332986823529055480486263394149009",
"97254773761840406105600028925782585928",
"130023236597886479109613843791183799228",
"210807043238514916726357204964941549453",
"92319298434375625179872500794115071100",
"318310596345242875942157043850083316875"
]
},
"target": {
"file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-0622182d",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 333.0,
"function_hash": "69639218466026152453728481961233906034"
},
"target": {
"file": "src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java",
"function": "testPutIndexTemplateByNonPrivilegedUser"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-14d12a58",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 683.0,
"function_hash": "292191050793919971982400736026026241825"
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
"function": "testExactName"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-29221d0d",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 2007.0,
"function_hash": "42028553468816119098304692570194140072"
},
"target": {
"file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java",
"function": "testBackingIndicesOfDataStream"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-3126e37c",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"337821943607884718980452659685528701204",
"67191872127043099132258444719078617037",
"63006482482982091652990119475605508561",
"83331883392929994829512273928432570133",
"176118888984173788182812449208802022054",
"241648534402091179100818036210088933165",
"116340188457432394783552900946375185345",
"77013053618638369785840249788436408961",
"301350169197435810502204324930120037478",
"335601637235022838482248156221428411199",
"293460731607764669596222168145735287328",
"59553097003265650940303961354436638457",
"31857667226584150408061553680393776853",
"241648534402091179100818036210088933165",
"116340188457432394783552900946375185345",
"336217410529803106497308388795854054548",
"18881345243492272406900253402779917897",
"319102887999780372378638826515811820598",
"24180246899425561157268646521432359175",
"291888254206080354166150691576664889664",
"166231027250654263840814759471300605043",
"121780149104149545242255340641482989207",
"334273751201741764029112690256834324253",
"283658829666879120251365614861630876250",
"283426502094342689667712021711664278798",
"148187277847259279314034420529149718087",
"295969006678731434423048105450779667338",
"24363717504739476079761615660374335845",
"74037839276126673066563975321181321580",
"82181966604903415269491430497116992023",
"148876534904636559950672126720368763642",
"62494087033143423537386841888166257671",
"102460624254822870863044531768950552723",
"94734569692399912338025076943060097246",
"289299529954936096466336318947935218032",
"37617140684465608575215372628899118817",
"157840776341387863837567130103337397591",
"159709249847975097591092559366113646247",
"25633527858662141510583786564017553840",
"148187277847259279314034420529149718087",
"106382907464109697012837538732745198013",
"23024671739418634230097975022769456774",
"238297166626815656275027368843847093431",
"323799062011611067023954859620693380059",
"93483006094917618863886453929917042161",
"225653984646749616545553751711661899161",
"155469146650118624083371635112921719001",
"176048929374105487295123438466638738123",
"121917565465983165506608243880256882219",
"95014843800091961592270914521628273087",
"279468921564123468284645083004648545638",
"141766389755956915823986737878147858634",
"54624486682803109227916926808312146016"
]
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-4e6ed3c9",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 654.0,
"function_hash": "239744325834366404844052919760374117565"
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
"function": "testExactNameWithNoMatches"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-5c573b56",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 730.0,
"function_hash": "255065948523695992490388225525586125987"
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
"function": "testMultipleConcreteIndices"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-6e060877",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 1027.0,
"function_hash": "294108489770333174010132037324844163732"
},
"target": {
"file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java",
"function": "getResolvedIndexPattern"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-7e7401a4",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"304839939921860648025146931493383880770",
"114824905897582127923213642326210500463",
"279282111741171071780837385092493668260",
"230484571854701085785817296781336459921",
"163031644383687259557961007999565872328",
"210306569907450714725336597611909073798",
"322967534684329559786359980029194356725",
"99764264942043381494496359371697479573",
"266456712856741126297076607667905475792",
"213028920204091298750111556879529391686",
"83265420109879833198405307683372454834",
"67429226484931028311238673280342925629",
"91105338395687701043839099980540564837",
"6450162401299574315445497086149522729"
]
},
"target": {
"file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-906430fe",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 1193.0,
"function_hash": "177015297970552032179796422297282209308"
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
"function": "testMultipleConcreteIndicesWithOneAlias"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-a5015401",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"157639417100125556875140226556329778119",
"39332545010403953370335241303781971654",
"95895900298352061382906362055012717225",
"107195619093693570336330093161567756532",
"82797253965665218830239723304419389690",
"236978715830984851196280058505569856466"
]
},
"target": {
"file": "src/test/java/org/opensearch/security/PitIntegrationTests.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-a89e203b",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 1514.0,
"function_hash": "335887108310174375250011577907427146906"
},
"target": {
"file": "src/test/java/org/opensearch/security/PitIntegrationTests.java",
"function": "testDataStreamWithPits"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-a9f4437d",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"length": 1352.0,
"function_hash": "56268870803881870005230508140374584424"
},
"target": {
"file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
"function": "testMultipleConcreteAliasedAndUnresolved"
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-cb02482a",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"75923945005803513679238543808349686941",
"215197920071175680155699009676477820184",
"249951776961905760540647555739583814865",
"97768805283861829065334173221268237582",
"154707291322054563930136312590658826380"
]
},
"target": {
"file": "src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java"
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-41917-e5921c96",
"source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"
}
]