CVE-2022-41918

Summary

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

Affected Software

VendorProductVersion RangeStatus
opensearch-projectsecurity<1.3.7affected
opensearch-projectsecurity>= 2.0.0, < 2.4.0affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization
  • CWE-612: CWE-612: Improper Authorization of Index Containing Sensitive Information

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References