GHSA-f4qr-f4xx-hjxw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f4qr-f4xx-hjxw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f4qr-f4xx-hjxw/GHSA-f4qr-f4xx-hjxw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f4qr-f4xx-hjxw
- Aliases
- Published
- 2022-08-12T17:31:58Z
- Modified
- 2023-11-08T04:09:55.363295Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information
- Details
-
Impact
Requests to an OpenSearch cluster configured with advanced access control features (document level security (DLS), field level security (FLS), and/or field masking) will not be filtered when the query's search pattern matches an aliased index.
OpenSearch Dashboards creates an alias to
.kibanaby default, so filters with the index pattern of*to restrict access to documents or fields will not be applied.This issue allows requests to access sensitive information when customer have acted to restrict access that specific information.
Patches
OpenSearch 2.2.0+ contains the fix for this issue. OpenSearch Security Plugin 2.2.0.0 is compatible with OpenSearch 2.2.0.
Workarounds
There is no recommended work around.
References
See pull request #1999 for additional details.
For more information
If you have any questions or comments about this advisory we ask that contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
- Database specific
{ "nvd_published_at": "2022-08-12T18:15:00Z", "github_reviewed_at": "2022-08-12T17:31:58Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-612" ] }- References
-
- https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw
- https://nvd.nist.gov/vuln/detail/CVE-2022-35980
- https://github.com/opensearch-project/security/pull/1999
- https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246
- https://github.com/opensearch-project/security
Affected packages
Maven / org.opensearch.plugin:opensearch-security
Package
- Name
- org.opensearch.plugin:opensearch-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opensearch.plugin/opensearch-security