PT-2023-20318 · Opensearch+1 · Opensearch Security+1
Cehenkle
·
Publicado
2023-03-01
·
Atualizado
2025-04-03
·
CVE-2023-25806
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSearch Security versions prior to 1.3.9
OpenSearch Security versions prior to 2.6.0
Description
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication, and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs.
Recommendations
For versions prior to 1.3.9, update to version 1.3.9 or later.
For versions prior to 2.6.0, update to version 2.6.0 or later.
As there are no workarounds, applying the patch is the recommended course of action.
Exploit
Correção
Side Channel Attack
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Opensearch Security
Red Os