GHSA-72q2-gwwf-6hrv

Source

https://github.com/advisories/GHSA-72q2-gwwf-6hrv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-72q2-gwwf-6hrv/GHSA-72q2-gwwf-6hrv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-72q2-gwwf-6hrv

Aliases

CVE-2023-45807

Published

2023-10-17T14:25:36Z

Modified

2024-02-16T08:21:41.489097Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

OpenSearch Issue with tenant read-only permissions

Details

Impact

There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable.

This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have.

Mitigation

This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.

For more information

If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Database specific

{
    "nvd_published_at": "2023-10-16T22:15:12Z",
    "cwe_ids": [
        "CWE-281"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T14:25:36Z"
}

References

Affected packages

Maven / org.opensearch.plugin:opensearch-security

Package

Name: org.opensearch.plugin:opensearch-security; View open source insights on deps.dev
Purl: pkg:maven/org.opensearch.plugin/opensearch-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0.0

Fixed

2.11.0.0

Affected versions

2.*

2.1.0.0

2.2.0.0

2.2.1.0

2.3.0.0

2.4.0.0

2.4.1.0

2.5.0.0

2.6.0.0

2.7.0.0

2.8.0.0

2.9.0.0

2.10.0.0

Maven / org.opensearch.plugin:opensearch-security

Package

Name: org.opensearch.plugin:opensearch-security; View open source insights on deps.dev
Purl: pkg:maven/org.opensearch.plugin/opensearch-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.14.0