OpenSearch Observability Plugin Data Leak <2.14
CVE-2024-39901 Published on July 9, 2024

OpenSearch Observability does not properly restrict access to private tenant resources
OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Github Repository NVD

Vulnerability Analysis

CVE-2024-39901 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2024-39901 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2024-39901

Want to know whenever a new CVE is published for Opensearch Observability? stack.watch will email you.

Opensearch Observability
 

Affected Versions

opensearch-project observability Version < 2.14.0.0 is affected by CVE-2024-39901

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-39901

Package Manager Vulnerable Package Versions Fixed In
maven org.opensearch.plugin:opensearch-observability < 2.14.0.0 2.14.0.0

Exploit Probability

EPSS
0.24%
Percentile
46.96%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.