CVE-2023-23612 – Issue with whitespace in JWT roles in OpenSearch
https://notcve.org/view.php?id=CVE-2023-23612
OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. • https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0 https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj • CWE-287: Improper Authentication •
CVE-2023-23613 – Field-level security issue with .keyword fields in OpenSearch
https://notcve.org/view.php?id=CVE-2023-23613
OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. • https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0 https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-41917 – Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch
https://notcve.org/view.php?id=CVE-2022-41917
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. • https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0 https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-w3rx-m34v-wrqx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-755: Improper Handling of Exceptional Conditions •
CVE-2022-41918 – Issue with fine-grained access control of indices backing data streams
https://notcve.org/view.php?id=CVE-2022-41918
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue. • https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4 https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg • CWE-612: Improper Authorization of Index Containing Sensitive Information CWE-863: Incorrect Authorization •
CVE-2022-41906 – OpenSearch Notifications is vulnerable to Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2022-41906
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. OpenSearch Notifications es un complemento de notificaciones para OpenSearch que permite que otros complementos envíen notificaciones a través de canales de correo electrónico, Slack, Amazon Chime, web-hook personalizado, etc. • https://github.com/opensearch-project/notifications/pull/496 https://github.com/opensearch-project/notifications/pull/507 https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw • CWE-918: Server-Side Request Forgery (SSRF) •