Skip to main content

Opensearch CVE-2023-25806

MEDIUM
Observable Timing Discrepancy (CWE-208)
2023-03-02 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 02, 2023 - 04:15 nvd
MEDIUM 5.3

DescriptionNVD

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

AnalysisAI

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-208. OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds. Affected products include: Amazon Opensearch, Amazon Opensearch Security.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2025-9624 HIGH POC
8.3 Nov 25

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input

CVE-2023-23612 HIGH
8.8 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-35980 HIGH
7.5 Aug 12

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high seve

CVE-2023-23613 MEDIUM
6.5 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2022-41918 MEDIUM
6.3 Nov 15

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this v

CVE-2023-31141 MEDIUM
5.9 May 08

OpenSearch is open-source software suite for search, analytics, and observability applications. Rated medium severity (C

CVE-2023-45807 MEDIUM
5.4 Oct 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 202

CVE-2023-23933 MEDIUM
4.3 Feb 03

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. Rated medium severity (CVSS

CVE-2022-41917 MEDIUM
4.3 Nov 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this v

Share

CVE-2023-25806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy