6 matches found
CVE-2022-31115
Opensearch-ruby before 2.0.1 is affected by unsafe YAML deserialization via YAML.load (not YAML.safe_load). Vulnerable in 2.0.0 and earlier when the response is YAML, exploitable only if an attacker controls the opensearch server and lures the victim to connect. Patch available in 2.0.1 (and subs...
CVE-2023-31141
OpenSearch vulnerability CVE-2023-31141 involves race-condition on access-control rules (document-level/field-level security and field masking) where queries may bypass correct authorization under extremely rare timing with concurrent requests and query-cache eviction. Affected are OpenSearch rel...
CVE-2023-45807
OpenSearch Dashboards contains a tenant-permissions issue where authenticated users with read-only access to a tenant can create, edit, or delete index metadata for dashboards/visualizations in that tenant. This affects metadata only (not index data); read-only verification for data remains intac...
CVE-2022-41918
OpenSearch has a vulnerability where fine-grained access controls (document-level security, field-level security, and field masking) are not correctly applied to the indices backing data streams, potentially allowing incorrect access authorization. The issue affects OpenSearch prior to the patche...
CVE-2023-25806
OpenSearch Security (the OpenSearch Security plugin) has a time-discrepancy issue in authentication responses when using the internal basic IdP. The observed behavior affects authentication latency between requests for existing vs non-existing users. Patches are available in OpenSearch Security v...
CVE-2025-9624
OpenSearch CVE-2025-9624: A DoS vulnerability via complex query_string inputs affects OpenSearch 3.0.0–3.2.x and OpenSearch