CVE-2022-41906
CVSS V2 None
CVSS V3 High 8.7
Description
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.
Overview
- CVE ID
- CVE-2022-41906
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-11T19:15:11
- Last Modified Date
- 2022-11-16T17:08:30
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:amazon:opensearch_notifications:*:*:*:*:*:docker:*:* | 1 | OR | 2.2.1.0 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- REQUIRED
- Scope
- CHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 8.7
- Base Severity
- HIGH
- Exploitability Score
- 2.3
- Impact Score
- 5.8
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-41906 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41906 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-11-11 20:00:07 | Added to TrackCVE | |||
| 2022-12-07 17:40:14 | 2022-11-11T19:15Z | 2022-11-11T19:15:11 | CVE Published Date | updated |
| 2022-12-07 17:40:14 | 2022-11-16T17:08:30 | CVE Modified Date | updated | |
| 2022-12-07 17:40:14 | Analyzed | Vulnerability Status | updated | |
| 2022-12-07 17:40:16 | CPE Information | updated |