CVE-2023-31141

Published: May 8, 2023Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.

Affected (4)

Products: Amazon: Opensearch, Opensearch Security

Amazon

2 products

Opensearch

Opensearch Security

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Amazon Opensearch	Before 1.3.10
Amazon Opensearch	From 2.0.0 to 2.7.0
Amazon Opensearch Security	Before 1.3.10
Amazon Opensearch Security	From 2.0.0 to 2.7.0

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h

Source: security-advisories@github.com

Vendor Advisory

https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.