CVE-2022-41918

CVSS V2 None CVSS V3 Critical 9.8
Description
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
Overview
  • CVE ID
  • CVE-2022-41918
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-11-15T23:15:28
  • Last Modified Date
  • 2022-12-12T19:43:03
Weakness Enumerations
CWE URL
CWE-863 http://cwe.mitre.org/data/definitions/863.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:amazon:opensearch:*:*:*:*:*:docker:*:* 1 OR 1.3.7
cpe:2.3:a:amazon:opensearch:*:*:*:*:*:docker:*:* 1 OR 2.0.0 2.4.0
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.8
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4
https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-41918
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41918
History
Created Old Value New Value Data Type Notes
2022-11-16 00:00:15 Added to TrackCVE
2022-12-07 17:49:00 2022-11-15T23:15Z 2022-11-15T23:15:28 CVE Published Date updated
2022-12-07 17:49:00 2022-11-18T20:14:11 CVE Modified Date updated
2022-12-07 17:49:00 Analyzed Vulnerability Status updated
2022-12-07 17:49:01 CPE Information updated
2022-12-09 16:15:42 2022-12-09T15:18:22 CVE Modified Date updated
2022-12-12 19:15:02 Analyzed Undergoing Analysis Vulnerability Status updated
2022-12-12 20:15:22 2022-12-12T19:43:03 CVE Modified Date updated
2022-12-12 20:15:22 Undergoing Analysis Analyzed Vulnerability Status updated