Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2022-41917

HistoryNov 16, 2022 - 12:15 a.m.

CVE-2022-41917

2022-11-1600:15:11

Debian Security Bug Tracker

security-tracker.debian.org

opensearch

cve-2022-41917

file disclosure

vulnerability

fix

upgrade

text analysis

java security manager

text files

permissions

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.4%

JSON

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Debian999allopensearch< 2.4.1+dfsg-2opensearch_2.4.1+dfsg-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	opensearch	< 2.4.1+dfsg-2	opensearch_2.4.1+dfsg-2_all.deb

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for DEBIANCVE:CVE-2022-41917