11 matches found
CVE-2023-23933
CVE-2023-23933 concerns OpenSearch Anomaly Detection: the plugin improperly applies document- and field-level restrictions, allowing users with the Anomaly Detector role to read aggregated numerical data from restricted fields. This affects authenticated users who already had read access to the r...
CVE-2022-31115
Opensearch-ruby before 2.0.1 is affected by unsafe YAML deserialization via YAML.load (not YAML.safe_load). Vulnerable in 2.0.0 and earlier when the response is YAML, exploitable only if an attacker controls the opensearch server and lures the victim to connect. Patch available in 2.0.1 (and subs...
CVE-2023-31141
OpenSearch vulnerability CVE-2023-31141 involves race-condition on access-control rules (document-level/field-level security and field masking) where queries may bypass correct authorization under extremely rare timing with concurrent requests and query-cache eviction. Affected are OpenSearch rel...
CVE-2023-23612
CVE-2023-23612 affects OpenSearch. A flaw in processing JWT role claims trims leading/trailing whitespace, which can let authenticated users claim roles they are not assigned to if a whitespace-matching role exists. Affected OpenSearch versions: 1.0.0β1.3.7 and 2.0.0β2.4.1. The issue relies on th...
CVE-2023-23613
CVE-2023-23613 affects OpenSearch with a flaw in field-level security (FLS) and field masking. Rules that explicitly exclude fields may not be applied correctly for queries relying on generated .keyword fields, potentially exposing data to authenticated users with read access to restricted indexe...
CVE-2023-45807
OpenSearch Dashboards contains a tenant-permissions issue where authenticated users with read-only access to a tenant can create, edit, or delete index metadata for dashboards/visualizations in that tenant. This affects metadata only (not index data); read-only verification for data remains intac...
CVE-2022-35980
CVE-2022-35980 affects OpenSearch Security plugin versions 2.0.0.0 and 2.1.0.0. The flaw allows information disclosure when an OpenSearch cluster uses DLS/FLS/field masking and an aliased index causes queries to bypass filters (OpenSearch Dashboards alias to .kibana). OpenSearch 2.2.0 (and compat...
CVE-2022-41917
OpenSearch CVE-2022-41917 is an information-disclosure flaw in OpenSearch where an incorrect error-handling path allows certain crafted REST queries to read the first line from arbitrary text files, limited to files readable under the Java Security Manager policy. Affected versions are OpenSearch...
CVE-2022-41918
OpenSearch has a vulnerability where fine-grained access controls (document-level security, field-level security, and field masking) are not correctly applied to the indices backing data streams, potentially allowing incorrect access authorization. The issue affects OpenSearch prior to the patche...
CVE-2023-25806
OpenSearch Security (the OpenSearch Security plugin) has a time-discrepancy issue in authentication responses when using the internal basic IdP. The observed behavior affects authentication latency between requests for existing vs non-existing users. Patches are available in OpenSearch Security v...
CVE-2025-9624
OpenSearch CVE-2025-9624: A DoS vulnerability via complex query_string inputs affects OpenSearch 3.0.0β3.2.x and OpenSearch