CVE-2022-35980 — HIGH (7.5)

Vulnerability Description

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Amazon	Opensearch	2.0.0

Related Weaknesses (CWE)

CWE-612

References

https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9PatchThird Party Advisory
https://github.com/opensearch-project/security/pull/1999PatchThird Party Advisory
https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xThird Party Advisory
https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9PatchThird Party Advisory
https://github.com/opensearch-project/security/pull/1999PatchThird Party Advisory
https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xThird Party Advisory

FAQ

What is CVE-2022-35980?

CVE-2022-35980 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure v...

How severe is CVE-2022-35980?

CVE-2022-35980 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-35980?

Check the references section above for vendor advisories and patch information. Affected products include: Amazon Opensearch.