Lucene search
K
AmazonOpensearch

11 matches found

CVE
CVE
β€’added 2023/02/03 7:14 p.m.β€’158 views

CVE-2023-23933

CVE-2023-23933 concerns OpenSearch Anomaly Detection: the plugin improperly applies document- and field-level restrictions, allowing users with the Anomaly Detector role to read aggregated numerical data from restricted fields. This affects authenticated users who already had read access to the r...

5.7CVSS4.8AI score0.00512EPSS
CVE
CVE
β€’added 2022/06/30 9:55 p.m.β€’140 views

CVE-2022-31115

Opensearch-ruby before 2.0.1 is affected by unsafe YAML deserialization via YAML.load (not YAML.safe_load). Vulnerable in 2.0.0 and earlier when the response is YAML, exploitable only if an attacker controls the opensearch server and lures the victim to connect. Patch available in 2.0.1 (and subs...

8.8CVSS8.7AI score0.01501EPSS
CVE
CVE
β€’added 2023/05/08 8:33 p.m.β€’140 views

CVE-2023-31141

OpenSearch vulnerability CVE-2023-31141 involves race-condition on access-control rules (document-level/field-level security and field masking) where queries may bypass correct authorization under extremely rare timing with concurrent requests and query-cache eviction. Affected are OpenSearch rel...

5.9CVSS5.3AI score0.0046EPSS
CVE
CVE
β€’added 2023/01/24 8:36 p.m.β€’129 views

CVE-2023-23612

CVE-2023-23612 affects OpenSearch. A flaw in processing JWT role claims trims leading/trailing whitespace, which can let authenticated users claim roles they are not assigned to if a whitespace-matching role exists. Affected OpenSearch versions: 1.0.0–1.3.7 and 2.0.0–2.4.1. The issue relies on th...

8.8CVSS6.3AI score0.00796EPSS
CVE
CVE
β€’added 2023/01/24 8:33 p.m.β€’115 views

CVE-2023-23613

CVE-2023-23613 affects OpenSearch with a flaw in field-level security (FLS) and field masking. Rules that explicitly exclude fields may not be applied correctly for queries relying on generated .keyword fields, potentially exposing data to authenticated users with read access to restricted indexe...

6.5CVSS5.6AI score0.00821EPSS
CVE
CVE
β€’added 2023/10/16 9:33 p.m.β€’115 views

CVE-2023-45807

OpenSearch Dashboards contains a tenant-permissions issue where authenticated users with read-only access to a tenant can create, edit, or delete index metadata for dashboards/visualizations in that tenant. This affects metadata only (not index data); read-only verification for data remains intac...

5.4CVSS5AI score0.0041EPSS
CVE
CVE
β€’added 2022/08/12 5:40 p.m.β€’99 views

CVE-2022-35980

CVE-2022-35980 affects OpenSearch Security plugin versions 2.0.0.0 and 2.1.0.0. The flaw allows information disclosure when an OpenSearch cluster uses DLS/FLS/field masking and an aliased index causes queries to bypass filters (OpenSearch Dashboards alias to .kibana). OpenSearch 2.2.0 (and compat...

7.5CVSS7.5AI score0.00918EPSS
CVE
CVE
β€’added 2022/11/15 12:0 a.m.β€’95 views

CVE-2022-41917

OpenSearch CVE-2022-41917 is an information-disclosure flaw in OpenSearch where an incorrect error-handling path allows certain crafted REST queries to read the first line from arbitrary text files, limited to files readable under the Java Security Manager policy. Affected versions are OpenSearch...

4.3CVSS4.4AI score0.00522EPSS
CVE
CVE
β€’added 2022/11/15 12:0 a.m.β€’86 views

CVE-2022-41918

OpenSearch has a vulnerability where fine-grained access controls (document-level security, field-level security, and field masking) are not correctly applied to the indices backing data streams, potentially allowing incorrect access authorization. The issue affects OpenSearch prior to the patche...

6.3CVSS6.3AI score0.0043EPSS
CVE
CVE
β€’added 2023/03/02 3:4 a.m.β€’62 views

CVE-2023-25806

OpenSearch Security (the OpenSearch Security plugin) has a time-discrepancy issue in authentication responses when using the internal basic IdP. The observed behavior affects authentication latency between requests for existing vs non-existing users. Patches are available in OpenSearch Security v...

5.3CVSS5.4AI score0.00328EPSS
CVE
CVE
β€’added 2025/11/25 7:43 p.m.β€’45 views

CVE-2025-9624

OpenSearch CVE-2025-9624: A DoS vulnerability via complex query_string inputs affects OpenSearch 3.0.0–3.2.x and OpenSearch

8.3CVSS6.1AI score0.0047EPSS