OpenSearch Dashboards Reports Unchecked Tenant Access (2.13)
CVE-2024-39900 Published on July 9, 2024

OpenSearch Dashboards Reports does not properly restrict access to private tenant resources
OpenSearch Dashboards Reports allows Report Owner export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Github Repository NVD

Vulnerability Analysis

CVE-2024-39900 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2024-39900 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2024-39900

Want to know whenever a new CVE is published for Opensearch Observability? stack.watch will email you.

Opensearch Observability
 

Affected Versions

opensearch-project reporting Version < 2.14.0.0 is affected by CVE-2024-39900

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-39900

Package Manager Vulnerable Package Versions Fixed In
maven org.opensearch.plugin:opensearch-reports-scheduler < 2.14.0.0 2.14.0.0

Exploit Probability

EPSS
0.20%
Percentile
41.91%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.