Opensearch
CVE-2023-45807
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.
AnalysisAI
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-281. OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue. Affected products include: Amazon Opensearch.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Opensearch
View allopensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input
OpenSearch is an open source distributed and RESTful search engine. Rated high severity (CVSS 8.8), this vulnerability i
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high seve
OpenSearch is an open source distributed and RESTful search engine. Rated medium severity (CVSS 6.5), this vulnerability
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this v
OpenSearch is open-source software suite for search, analytics, and observability applications. Rated medium severity (C
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated medium se
OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. Rated medium severity (CVSS
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this v
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today