Vulnerability Description
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Opensearch | < 1.3.7 |
Related Weaknesses (CWE)
References
- https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854PatchThird Party Advisory
- https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jThird Party Advisory
- https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854PatchThird Party Advisory
- https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jThird Party Advisory
FAQ
What is CVE-2022-41918?
CVE-2022-41918 is a vulnerability with a CVSS score of 6.3 (MEDIUM). OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level sec...
How severe is CVE-2022-41918?
CVE-2022-41918 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41918?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Opensearch.