CVE-2022-41918

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-41918
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41918.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-41918
Aliases
Published
2022-11-15T00:00:00Z
Modified
2026-02-26T09:17:56.120655Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Issue with fine-grained access control of indices backing data streams
Details

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-612",
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41918.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/opensearch-project/security

Affected ranges

Type
GIT
Repo
https://github.com/opensearch-project/security
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
aea96f2a966b566f1bffb36fbc005fb40e73be65
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/opensearch-project/security
Events
Introduced
5e6457703a6609c556f357aafdb116f4a2f30c05
Fixed
bca461296d1c54f49e4d139316c855f9ca37be26
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.4.0"
        }
    ]
}

Affected versions

1.*
1.0.0.0
1.1.0.0
1.3.0.0
1.3.1.0
1.3.2.0
1.3.3.0
1.3.4.0
1.3.5.0
1.3.6.0
v0.*
v0.7.0.0
v0.7.0.1
v0.8.0.0
v0.9.0.0
v1.*
v1.0.0.0
v1.0.0.0-beta1
v1.0.0.0-beta1-rc1
v1.0.0.0-beta1-rc2
v1.0.0.0-beta1-rc3
v1.0.0.0-rc1
v1.0.1.0-OS-rc1
v1.1.0.0
v1.10.0.0-rc1
v1.10.1.0
v1.10.1.0-rc1
v1.10.1.0-rc2
v1.11.0.0
v1.11.0.0-rc1
v1.12.0.0
v1.12.0.0-rc
v1.13.0.0
v1.13.0.0-rc1
v1.13.0.0-rc2
v1.13.0.0-rc3
v1.13.0.0-rc4
v1.13.1.0
v1.13.1.0-rc1
v1.13.1.0-rc2
v1.3.0.0
v1.4.0.0
v1.5.0.0
v1.5.0.1
v1.6.0.0
v1.7.0.0
v1.8.0.0
v1.9.0.0
v1.9.0.0-rc1
v1.9.0.0-rc2
v1.9.0.1

Database specific

vanir_signatures 
[
    {
        "id": "CVE-2022-41918-0622182d",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "190802608251876723695708323815294798331",
                "159406922189635889326075075414716807852",
                "164487096438305919280300123055628806148",
                "258208411350990867880503156928978156126",
                "182745036320457048373697753478831981211",
                "17165779382262712744817156828346306604",
                "330447875107470999044063650182518584429",
                "15026532455737383454346910345973196471",
                "126453835876486614891207840059575025646",
                "176032099326614279352436648928177379106",
                "187664735698750655791313124692193036867",
                "308083681216149547805348768138620704794",
                "245688700287395083048807384280175191088",
                "11715067545084007430906719122946934852",
                "83266720936271841411945279822828016372",
                "26454332986823529055480486263394149009",
                "97254773761840406105600028925782585928",
                "130023236597886479109613843791183799228",
                "210807043238514916726357204964941549453",
                "92319298434375625179872500794115071100",
                "318310596345242875942157043850083316875"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Line",
        "target": {
            "file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"
        }
    },
    {
        "id": "CVE-2022-41918-14d12a58",
        "signature_version": "v1",
        "digest": {
            "function_hash": "69639218466026152453728481961233906034",
            "length": 333.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java",
            "function": "testPutIndexTemplateByNonPrivilegedUser"
        }
    },
    {
        "id": "CVE-2022-41918-29221d0d",
        "signature_version": "v1",
        "digest": {
            "function_hash": "292191050793919971982400736026026241825",
            "length": 683.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
            "function": "testExactName"
        }
    },
    {
        "id": "CVE-2022-41918-3126e37c",
        "signature_version": "v1",
        "digest": {
            "function_hash": "42028553468816119098304692570194140072",
            "length": 2007.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java",
            "function": "testBackingIndicesOfDataStream"
        }
    },
    {
        "id": "CVE-2022-41918-4e6ed3c9",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "337821943607884718980452659685528701204",
                "67191872127043099132258444719078617037",
                "63006482482982091652990119475605508561",
                "83331883392929994829512273928432570133",
                "176118888984173788182812449208802022054",
                "241648534402091179100818036210088933165",
                "116340188457432394783552900946375185345",
                "77013053618638369785840249788436408961",
                "301350169197435810502204324930120037478",
                "335601637235022838482248156221428411199",
                "293460731607764669596222168145735287328",
                "59553097003265650940303961354436638457",
                "31857667226584150408061553680393776853",
                "241648534402091179100818036210088933165",
                "116340188457432394783552900946375185345",
                "336217410529803106497308388795854054548",
                "18881345243492272406900253402779917897",
                "319102887999780372378638826515811820598",
                "24180246899425561157268646521432359175",
                "291888254206080354166150691576664889664",
                "166231027250654263840814759471300605043",
                "121780149104149545242255340641482989207",
                "334273751201741764029112690256834324253",
                "283658829666879120251365614861630876250",
                "283426502094342689667712021711664278798",
                "148187277847259279314034420529149718087",
                "295969006678731434423048105450779667338",
                "24363717504739476079761615660374335845",
                "74037839276126673066563975321181321580",
                "82181966604903415269491430497116992023",
                "148876534904636559950672126720368763642",
                "62494087033143423537386841888166257671",
                "102460624254822870863044531768950552723",
                "94734569692399912338025076943060097246",
                "289299529954936096466336318947935218032",
                "37617140684465608575215372628899118817",
                "157840776341387863837567130103337397591",
                "159709249847975097591092559366113646247",
                "25633527858662141510583786564017553840",
                "148187277847259279314034420529149718087",
                "106382907464109697012837538732745198013",
                "23024671739418634230097975022769456774",
                "238297166626815656275027368843847093431",
                "323799062011611067023954859620693380059",
                "93483006094917618863886453929917042161",
                "225653984646749616545553751711661899161",
                "155469146650118624083371635112921719001",
                "176048929374105487295123438466638738123",
                "121917565465983165506608243880256882219",
                "95014843800091961592270914521628273087",
                "279468921564123468284645083004648545638",
                "141766389755956915823986737878147858634",
                "54624486682803109227916926808312146016"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"
        }
    },
    {
        "id": "CVE-2022-41918-5c573b56",
        "signature_version": "v1",
        "digest": {
            "function_hash": "239744325834366404844052919760374117565",
            "length": 654.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
            "function": "testExactNameWithNoMatches"
        }
    },
    {
        "id": "CVE-2022-41918-6e060877",
        "signature_version": "v1",
        "digest": {
            "function_hash": "255065948523695992490388225525586125987",
            "length": 730.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
            "function": "testMultipleConcreteIndices"
        }
    },
    {
        "id": "CVE-2022-41918-7e7401a4",
        "signature_version": "v1",
        "digest": {
            "function_hash": "294108489770333174010132037324844163732",
            "length": 1027.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java",
            "function": "getResolvedIndexPattern"
        }
    },
    {
        "id": "CVE-2022-41918-906430fe",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "304839939921860648025146931493383880770",
                "114824905897582127923213642326210500463",
                "279282111741171071780837385092493668260",
                "230484571854701085785817296781336459921",
                "163031644383687259557961007999565872328",
                "210306569907450714725336597611909073798",
                "322967534684329559786359980029194356725",
                "99764264942043381494496359371697479573",
                "266456712856741126297076607667905475792",
                "213028920204091298750111556879529391686",
                "83265420109879833198405307683372454834",
                "67429226484931028311238673280342925629",
                "91105338395687701043839099980540564837",
                "6450162401299574315445497086149522729"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"
        }
    },
    {
        "id": "CVE-2022-41918-a5015401",
        "signature_version": "v1",
        "digest": {
            "function_hash": "177015297970552032179796422297282209308",
            "length": 1193.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
            "function": "testMultipleConcreteIndicesWithOneAlias"
        }
    },
    {
        "id": "CVE-2022-41918-a89e203b",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "157639417100125556875140226556329778119",
                "39332545010403953370335241303781971654",
                "95895900298352061382906362055012717225",
                "107195619093693570336330093161567756532",
                "82797253965665218830239723304419389690",
                "236978715830984851196280058505569856466"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/opensearch/security/PitIntegrationTests.java"
        }
    },
    {
        "id": "CVE-2022-41918-a9f4437d",
        "signature_version": "v1",
        "digest": {
            "function_hash": "335887108310174375250011577907427146906",
            "length": 1514.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/PitIntegrationTests.java",
            "function": "testDataStreamWithPits"
        }
    },
    {
        "id": "CVE-2022-41918-cb02482a",
        "signature_version": "v1",
        "digest": {
            "function_hash": "56268870803881870005230508140374584424",
            "length": 1352.0
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Function",
        "target": {
            "file": "src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java",
            "function": "testMultipleConcreteAliasedAndUnresolved"
        }
    },
    {
        "id": "CVE-2022-41918-e5921c96",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "75923945005803513679238543808349686941",
                "215197920071175680155699009676477820184",
                "249951776961905760540647555739583814865",
                "97768805283861829065334173221268237582",
                "154707291322054563930136312590658826380"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java"
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41918.json"