Skip to main content

Opensearch CVE-2022-41918

MEDIUM
Improper Authorization of Index Containing Sensitive Information (CWE-612)
2022-11-15 security-advisories@github.com
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Nov 15, 2022 - 23:15 nvd
MEDIUM 6.3

DescriptionNVD

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

AnalysisAI

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-612. OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue. Affected products include: Amazon Opensearch.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2025-9624 HIGH POC
8.3 Nov 25

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input

CVE-2023-23612 HIGH
8.8 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-35980 HIGH
7.5 Aug 12

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high seve

CVE-2023-23613 MEDIUM
6.5 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2023-31141 MEDIUM
5.9 May 08

OpenSearch is open-source software suite for search, analytics, and observability applications. Rated medium severity (C

CVE-2023-45807 MEDIUM
5.4 Oct 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 202

CVE-2023-25806 MEDIUM
5.3 Mar 02

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated medium se

CVE-2023-23933 MEDIUM
4.3 Feb 03

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. Rated medium severity (CVSS

CVE-2022-41917 MEDIUM
4.3 Nov 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this v

Share

CVE-2022-41918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy