CVE-2022-35980

2022-08-1218:15:13

CWE-612

[email protected]

web.nvd.nist.gov

opensearch security

plugin vulnerability

information disclosure

encryption

authentication

authorization

advanced access control features

document level security

field level security

field masking

aliased index

opensearch dashboards

kibana alias

sensitive information

fix

no work around

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

41.2%

JSON

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query’s search pattern matches an aliased index. OpenSearch Dashboards creates an alias to .kibana by default, so filters with the index pattern of * to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.

Affected configurations

Nvd

Node

amazonopensearchMatch2.0.0docker

amazonopensearchMatch2.1.0docker

VendorProductVersionCPE
amazonopensearch2.0.0cpe:2.3:a:amazon:opensearch:2.0.0:*:*:*:*:docker:*:*
amazonopensearch2.1.0cpe:2.3:a:amazon:opensearch:2.1.0:*:*:*:*:docker:*:*