OpenSearch unauthorized data access on fields protected by field level security if field is a member of an object

Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security FLS rules on fields which are not at the top level of the source document tree i.e., which are members of a JSON object. If an FLS exclusion rule like object is applied to an object valued attribute in a source...

CVE-2024-54160

dashboards-reporting aka Dashboards Reports before 2.19.0.0, as shipped in OpenSearch before 2.19, allows XSS because Markdown is not sanitized when previewing a header or footer...

CVE-2024-54160

dashboards-reporting aka Dashboards Reports before 2.19.0.0, as shipped in OpenSearch before 2.19, allows XSS because Markdown is not sanitized when previewing a header or footer...

CVE-2024-54160

dashboards-reporting aka Dashboards Reports before 2.19.0.0, as shipped in OpenSearch before 2.19, allows XSS because Markdown is not sanitized when previewing a header or footer...

CVE-2022-41918 Issue with fine-grained access control of indices backing data streams

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules document-level security, field-level security and field masking where they are not correctly applied to the indices that back data streams...