Lucene search

Veracode Vulnerability DatabaseVERACODE:48026

HistoryJul 11, 2024 - 6:20 a.m.

Authorization Bypass

2024-07-1106:20:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

authorization bypass

improper verification

private tenant resources

notebooks

vulnerable software

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.7

Confidence

High

JSON

org.opensearch.plugin, opensearch-observability is vulnerable to Authorization Bypass. The vulnerability is due to improper verification of the resource author, allowing attackers to access private tenant resources such as notebooks.

References

github.com/advisories/GHSA-77vc-rj32-2r33

github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e

github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33

opensearch.org/versions/opensearch-2-14-0.html

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.7

Confidence

High

JSON

Related for VERACODE:48026