9 results (0.010 seconds)

CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. • https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv • CWE-281: Improper Preservation of Permissions •

CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0

OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue. • https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h • CWE-863: Incorrect Authorization •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds. • https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue. • https://github.com/opensearch-project/anomaly-detection/security/advisories/GHSA-47qw-jwpx-pp4c • CWE-125: Out-of-bounds Read •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. • https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0 https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj • CWE-287: Improper Authentication •