CVE-2023-25806

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-25806

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25806.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25806

Aliases

GHSA-c6wg-cm5x-rqvj

Published

2023-03-02T03:04:26.889Z

Modified

2026-02-13T02:37:19.553937Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Time discrepancy in authentication responses in OpenSearch

Details

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25806.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-208"
    ]
}

References

Affected packages

Git

github.com/opensearch-project/anomaly-detection

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/anomaly-detection
Events: Introduced

ce81e915882980d819780c83d8f767ca295fbbcb

Fixed

0a48da9e1a0cd70c64cc2da228674baaf377c89e

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25806.json"

github.com/opensearch-project/opensearch

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/opensearch
Events: Introduced

bae3b4e4178c20ac24fece8e82099abe3b2630d0

Fixed

7203a5af21a8a009aece1474446b437a3c674db6

Database specific

vanir_signatures

[
    {
        "id": "CVE-2023-25806-6dcfba68",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/opensearch-project/opensearch/commit/7203a5af21a8a009aece1474446b437a3c674db6",
        "target": {
            "file": "server/src/test/java/org/opensearch/search/backpressure/trackers/HeapUsageTrackerTests.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "261418821363091455290036926859038009393",
                "142506288093464055713948067876021103711",
                "80361243418112149541333574963213333197",
                "290769537263456754015292709250858077598",
                "37801161270839161805516132699698195741",
                "168464379962180483187364468726781547405",
                "298677360576768250492773120273981805925",
                "4175503997745510539967119979835599894",
                "58099636554214787393999347794043923293",
                "325864396028902277639462463623935064226",
                "15666481119382259362332242398598110396",
                "92322506223306940352097129384224263283"
            ]
        },
        "signature_type": "Line"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25806.json"

github.com/opensearch-project/security

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/security
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0004aba21d56ff62ea2f445758b51fd21f431e63

Introduced

5e6457703a6609c556f357aafdb116f4a2f30c05

Fixed

766cf3f713fb7621faa8546ca5c2f37f5a847009

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25806.json"