CVE-2022-41918
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-41918
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41918.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-41918
- Aliases
- Published
- 2022-11-15T00:00:00Z
- Modified
- 2025-10-26T12:04:27.496877Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Issue with fine-grained access control of indices backing data streams
- Details
-
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
- Database specific
{ "cwe_ids": [ "CWE-612", "CWE-863" ] }- References
Affected packages
Git / github.com/opensearch-project/anomaly-detection
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opensearch-project/anomaly-detection
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
(None)
1.*
1.0.0.0-beta1
1.0.0.0-rc1
1.3.0.0
1.3.1.0
1.3.2.0
1.3.3.0
1.3.4.0
1.3.5.0
1.3.6.0
v1.*
v1.10.0.0
v1.10.1.0
v1.11.0.0
v1.12.0.0
v1.13.0.0
v1.2.1-alpha
v1.7.0.0
v1.8.0.0
v1.9.0.0
Database specific
vanir_signatures
[
{
"source": "https://github.com/opensearch-project/anomaly-detection/commit/8e430e3b0696b3ae24a21eac953e870d935f5226",
"target": {
"file": "src/test/java/org/opensearch/ad/e2e/DetectionResultEvalutationIT.java"
},
"deprecated": false,
"id": "CVE-2022-41918-e7d96ad0",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"74999161607339369302246486548722013515",
"331654741017039618897214737826080373175",
"242400699683402521130385429679470978515",
"14288849670986151895276425634239014606",
"48293227543804605485749147679819442287",
"233564884399080233060973457834074608021",
"198658597595291339366835687978977130701",
"134069994519578208471988178467839830807",
"14691847253493116405349887254614938751",
"193326693561257596907395285748170354967",
"286696334717236037067817516725650375639",
"187446307405698346313631927133908820728",
"275923403730748353668797899065846350830",
"144868421321935859159718940492258168481"
]
}
},
{
"source": "https://github.com/opensearch-project/anomaly-detection/commit/8e430e3b0696b3ae24a21eac953e870d935f5226",
"target": {
"function": "testValidationWindowDelayRecommendation",
"file": "src/test/java/org/opensearch/ad/e2e/DetectionResultEvalutationIT.java"
},
"deprecated": false,
"id": "CVE-2022-41918-e7efffae",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1389.0,
"function_hash": "205572322480542887554609209692216585020"
}
}
]
Git / github.com/opensearch-project/opensearch
Git / github.com/opensearch-project/security
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opensearch-project/security
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0.0
1.1.0.0
v0.*
v0.7.0.0
v0.7.0.1
v0.8.0.0
v0.9.0.0
v1.*
v1.0.0.0
v1.0.0.0-beta1
v1.0.0.0-beta1-rc1
v1.0.0.0-beta1-rc2
v1.0.0.0-beta1-rc3
v1.0.0.0-rc1
v1.0.1.0-OS-rc1
v1.1.0.0
v1.10.0.0-rc1
v1.10.1.0
v1.10.1.0-rc1
v1.10.1.0-rc2
v1.11.0.0
v1.11.0.0-rc1
v1.12.0.0
v1.12.0.0-rc
v1.13.0.0
v1.13.0.0-rc1
v1.13.0.0-rc2
v1.13.0.0-rc3
v1.13.0.0-rc4
v1.13.1.0
v1.13.1.0-rc1
v1.13.1.0-rc2
v1.3.0.0
v1.4.0.0
v1.5.0.0
v1.5.0.1
v1.6.0.0
v1.7.0.0
v1.8.0.0
v1.9.0.0
v1.9.0.0-rc1
v1.9.0.0-rc2
v1.9.0.1
Database specific
vanir_signatures
[
{
"source": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4",
"target": {
"file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"
},
"deprecated": false,
"id": "CVE-2022-41918-62557746",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"190802608251876723695708323815294798331",
"159406922189635889326075075414716807852",
"164487096438305919280300123055628806148",
"258208411350990867880503156928978156126",
"182745036320457048373697753478831981211",
"17165779382262712744817156828346306604",
"330447875107470999044063650182518584429",
"15026532455737383454346910345973196471",
"126453835876486614891207840059575025646",
"176032099326614279352436648928177379106",
"187664735698750655791313124692193036867",
"308083681216149547805348768138620704794",
"245688700287395083048807384280175191088",
"11715067545084007430906719122946934852",
"83266720936271841411945279822828016372",
"26454332986823529055480486263394149009",
"97254773761840406105600028925782585928",
"130023236597886479109613843791183799228",
"210807043238514916726357204964941549453",
"92319298434375625179872500794115071100",
"318310596345242875942157043850083316875"
]
}
},
{
"source": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4",
"target": {
"file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"
},
"deprecated": false,
"id": "CVE-2022-41918-c5bdef0b",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"304839939921860648025146931493383880770",
"114824905897582127923213642326210500463",
"279282111741171071780837385092493668260",
"230484571854701085785817296781336459921",
"163031644383687259557961007999565872328",
"210306569907450714725336597611909073798",
"322967534684329559786359980029194356725",
"99764264942043381494496359371697479573",
"266456712856741126297076607667905475792",
"213028920204091298750111556879529391686",
"83265420109879833198405307683372454834",
"67429226484931028311238673280342925629",
"91105338395687701043839099980540564837",
"6450162401299574315445497086149522729"
]
}
},
{
"source": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4",
"target": {
"function": "testBackingIndicesOfDataStream",
"file": "src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"
},
"deprecated": false,
"id": "CVE-2022-41918-e129fb39",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 2007.0,
"function_hash": "42028553468816119098304692570194140072"
}
},
{
"source": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4",
"target": {
"function": "getResolvedIndexPattern",
"file": "src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"
},
"deprecated": false,
"id": "CVE-2022-41918-f6f85ef0",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1027.0,
"function_hash": "294108489770333174010132037324844163732"
}
}
]