6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
26.5%
OpenSearch is an open source distributed and RESTful search engine. In
affected versions there is an issue in the implementation of field-level
security (FLS) and field masking where rules written to explicitly exclude
fields are not correctly applied for certain queries that rely on their
auto-generated .keyword fields. This issue is only present for
authenticated users with read access to the indexes containing the
restricted fields. This may expose data which may otherwise not be
accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are
affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users
unable to upgrade may write explicit exclusion rules as a workaround.
Policies authored in this way are not subject to this issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | opensearch | < any | UNKNOWN |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
26.5%