CVE Tools
Sign in

CVE-2022-35980

OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information

Published: Aug 12, 2022Updated: Nov 21, 2024 Sources: CVE List NVD GHSACWE-612
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.9%
Top 44.5%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-612NVD-CWE-Other

Affected Products

opensearchamazon
SaaS
Cloud & SaaS / cloud-platform
org.opensearch.plugin:opensearch-securityMavenOSS Libraries
securityopensearch-project
Mixed
Databases / nosql
amazoncommercialUSCloud & SaaS
mavenpackage-ecosystemOSS Libraries
opensearch-projectoss-projectDatabasesaka security, data-prepper, anomaly-detection

Exploitability

Official Patch Available

References

https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246
github.com
https://github.com/opensearch-project/security/pull/1999
github.com
https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw
github.com
and 2 more references View all →

Timeline

Published
Aug 12, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-35980 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows