Access Control Bypass in OpenSearch 1.3.x/2.x (doc-level security)
CVE-2022-41918 Published on November 15, 2022
Issue with fine-grained access control of indices backing data streams
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
Vulnerability Analysis
CVE-2022-41918 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Types
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2022-41918 has been classified to as an AuthZ vulnerability or weakness.
Improper Authorization of Index Containing Sensitive Information
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.
Products Associated with CVE-2022-41918
Want to know whenever a new CVE is published for Amazon Opensearch? stack.watch will email you.
Affected Versions
opensearch-project security:- Version <1.3.7 is affected.
- Version >= 2.0.0, < 2.4.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-41918
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.opensearch.plugin:opensearch-security | < 1.3.7 | 1.3.7 |
| maven | org.opensearch.plugin:opensearch-security | >= 2.0.0, < 2.4.0 | 2.4.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.