CVSS: 9.8EPSS: 94%CPEs: 444EXPL: 19CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-31141 – OpenSearch issue with fine-grained access control during extremely rare race conditions
https://notcve.org/view.php?id=CVE-2023-31141
08 May 2023 — OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance ... • https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-25806 – Time discrepancy in authentication responses in OpenSearch
https://notcve.org/view.php?id=CVE-2023-25806
02 Mar 2023 — OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds. • https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •