OpenSearch JWT Whitespace Trimming Priv Escalation (v1.0.0-1.3.7 & 2.0.0-2.4.1)
CVE-2023-23612 Published on January 26, 2023

Issue with whitespace in JWT roles in OpenSearch
OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.

Github Repository NVD

Vulnerability Analysis

CVE-2023-23612 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2023-23612 has been classified to as an authentification vulnerability or weakness.


Products Associated with CVE-2023-23612

Want to know whenever a new CVE is published for Amazon Opensearch? stack.watch will email you.

Amazon Opensearch
 

Affected Versions

opensearch-project security:

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-23612

Package Manager Vulnerable Package Versions Fixed In
maven org.opensearch:opensearch-security < 1.3.8 1.3.8
maven org.opensearch:opensearch-security >= 2.0.0, < 2.5.0 2.5.0

Exploit Probability

EPSS
0.16%
Percentile
36.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.