OpenSearch <1.3.7> LFI in Analyzer Config
CVE-2022-41917 Published on November 16, 2022
Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability Analysis
CVE-2022-41917 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2022-41917 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2022-41917
Want to know whenever a new CVE is published for Amazon Opensearch? stack.watch will email you.
Affected Versions
opensearch-project OpenSearch:- Version < 1.3.7 is affected.
- Version >= 2.0.0, < 2.4.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.