CVE-2024-39901

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-39901

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39901.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39901

Aliases

GHSA-77vc-rj32-2r33

Published

2024-07-09T22:15:03Z

Modified

2024-10-08T04:18:38.888316Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

References

Affected packages

Git / github.com/opensearch-project/observability

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/observability
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

014423178f8f61d90442dde03cbdcd754c70a84e

Type: GIT
Repo: https://github.com/opensearch-project/reporting
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c487fa37c54e2cdc10f56843efb6a0ebb60b3259

Affected versions

1.*

1.0.0.0

1.1.0.0

2.*

2.0.0.0

2.0.0.0-rc1

2.0.1.0

2.1.0.0

2.11.0.0

2.2.0.0

2.2.1.0

chromium-1.*

chromium-1.12.0.0

v1.*

v1.0.0.0-beta1

v1.0.0.0-rc1

v1.12.0.0

v1.12.0.0-alpha

v1.13.0.0

v1.13.0.0-alpha

v1.13.2.0