Skip to main content

Opensearch CVE-2022-31115

HIGH
Deserialization of Untrusted Data (CWE-502)
2022-06-30 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 30, 2022 - 22:15 nvd
HIGH 8.8

DescriptionNVD

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby YAML.load function was used instead of YAML.safe_load. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby YAML.load function was used instead of YAML.safe_load. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Amazon Opensearch. Version information: prior to 2.0.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

CVE-2025-9624 HIGH POC
8.3 Nov 25

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input

CVE-2023-23612 HIGH
8.8 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-35980 HIGH
7.5 Aug 12

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high seve

CVE-2023-23613 MEDIUM
6.5 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2022-41918 MEDIUM
6.3 Nov 15

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this v

CVE-2023-31141 MEDIUM
5.9 May 08

OpenSearch is open-source software suite for search, analytics, and observability applications. Rated medium severity (C

CVE-2023-45807 MEDIUM
5.4 Oct 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 202

CVE-2023-25806 MEDIUM
5.3 Mar 02

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated medium se

CVE-2023-23933 MEDIUM
4.3 Feb 03

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. Rated medium severity (CVSS

CVE-2022-41917 MEDIUM
4.3 Nov 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this v

Share

CVE-2022-31115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy