CVE-2023-23612

Issue with whitespace in JWT roles in OpenSearch

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.

OpenSearch es un motor de búsqueda RESTful y distribuido de código abierto. OpenSearch utiliza JWT para almacenar reclamaciones de funciones obtenidas del proveedor de identidad (IdP) cuando el backend de autenticación es SAML u OpenID Connect. Existe un problema en la forma en que se procesan esas reclamaciones desde los JWT donde se recortan los espacios en blanco iniciales y finales, lo que permite a los usuarios reclamar roles a los que no están asignados si algún rol coincide con la versión sin espacios en blanco de los roles de los que son miembros. Este problema solo está presente para usuarios autenticados y requiere la existencia de roles que coincidan, sin considerar los espacios en blanco iniciales/finales, o la capacidad de los usuarios de crear dichos roles coincidentes. Además, el proveedor de identidad debe permitir espacios iniciales y finales en los nombres de funciones. OpenSearch 1.0.0-1.3.7 y 2.0.0-2.4.1 se ven afectados. Se recomienda a los usuarios que actualicen a OpenSearch 1.3.8 o 2.5.0. No se conocen workarounds para este problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-16 CVE Reserved
2023-01-24 CVE Published
2024-08-02 CVE Updated
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (2)

URL	Tag	Source
https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0	Third Party Advisory
https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amazon Search vendor "Amazon"		Opensearch Search vendor "Amazon" for product "Opensearch"				>= 1.0.0 < 1.3.8 Search vendor "Amazon" for product "Opensearch" and version " >= 1.0.0 < 1.3.8"		-		Affected
Amazon Search vendor "Amazon"		Opensearch Search vendor "Amazon" for product "Opensearch"				>= 2.0.0 < 2.5.0 Search vendor "Amazon" for product "Opensearch" and version " >= 2.0.0 < 2.5.0"		-		Affected