CVE-2022-41917

2022-11-1600:15:11

CWE-755

CWE-200

[email protected]

web.nvd.nist.gov

opensearch

cve-2022-41917

security

upgrade

text analyzers

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.6%

JSON

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

opensearch-projectopensearchRange<1.3.7

opensearch-projectopensearchRange2.0.0–2.4.0

CPENameOperatorVersion
amazon:opensearchamazon opensearchlt1.3.7
amazon:opensearchamazon opensearchlt2.4.0

CPE	Name	Operator	Version
amazon:opensearch	amazon opensearch	lt	1.3.7
amazon:opensearch	amazon opensearch	lt	2.4.0

CNA Affected

[
  {
    "vendor": "opensearch-project",
    "product": "OpenSearch",
    "versions": [
      {
        "version": "< 1.3.7",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.4.0",
        "status": "affected"
      }
    ]
  }
]