OpenSearch Security 2.0/2.1 Info Disclosure via DLS/FLS alias issue
CVE-2022-35980 Published on August 12, 2022
OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.
Vulnerability Analysis
CVE-2022-35980 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Improper Authorization of Index Containing Sensitive Information
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.
Products Associated with CVE-2022-35980
Want to know whenever a new CVE is published for Amazon Opensearch? stack.watch will email you.
Affected Versions
opensearch-project security Version >= 2.0.0.0, <= 2.1.0.0 is affected by CVE-2022-35980Vulnerable Packages
The following package name and versions may be associated with CVE-2022-35980
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.opensearch.plugin:opensearch-security | >= 2.0.0.0, <= 2.1.0.0 | 2.2.0.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.