Cehenkle

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 1.3.14 OpenSearch versions prior to 2.11.0 **Description** There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. **Recommendations** For versions prior to 1.3.14, update to version 1.3.14 or later to resolve the issue. For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider disabling the tenants functionality for the cluster until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSearch Security versions prior to 1.3.9 OpenSearch Security versions prior to 2.6.0 **Description** OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication, and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. **Recommendations** For versions prior to 1.3.9, update to version 1.3.9 or later. For versions prior to 2.6.0, update to version 2.6.0 or later. As there are no workarounds, applying the patch is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 1.3.8 OpenSearch versions prior to 2.6.0 **Description** There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. **Recommendations** For versions prior to 1.3.8, update to version 1.3.8 or later to resolve the issue. For versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions 1.0.0 through 1.3.7 OpenSearch versions 2.0.0 through 2.4.1 **Description** OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. **Recommendations** Upgrade to OpenSearch 1.3.8 for versions 1.0.0 through 1.3.7. Upgrade to OpenSearch 2.5.0 for versions 2.0.0 through 2.4.1.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions 1.0.0 through 1.3.7 OpenSearch versions 2.0.0 through 2.4.1 **Description** There is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated `.keyword` fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields, which may expose data that would otherwise not be accessible to the user. **Recommendations** For OpenSearch versions 1.0.0 through 1.3.7, upgrade to OpenSearch 1.3.8. For OpenSearch versions 2.0.0 through 2.4.1, upgrade to OpenSearch 2.5.0. As a temporary workaround for users unable to upgrade, consider writing explicit exclusion rules to grant explicit access instead, as policies authored in this way are not subject to this issue.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 1.3.7 OpenSearch versions prior to 2.4.0 **Description** There is an issue with the implementation of fine-grained access control rules, including document-level security, field-level security, and field masking, where they are not correctly applied to the indices that back data streams. This potentially leads to incorrect access authorization. The issue can only be triggered by authenticated users authorized to read those data streams which are backed by the impacted indexes. Existing privileged users cannot access random indexes within these clusters; they can only access indexes to which they have already been granted permission. **Recommendations** For versions prior to 1.3.7, update to OpenSearch 1.3.7 or later. For versions prior to 2.4.0, update to OpenSearch 2.4.0 or later. As a temporary workaround, consider restricting access to sensitive data streams until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 1.3.7 OpenSearch versions prior to 2.4.0 **Description** An issue in OpenSearch allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. **Recommendations** For OpenSearch versions prior to 1.3.7, upgrade to version 1.3.7 or later. For OpenSearch versions prior to 2.4.0, upgrade to version 2.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSearch Notifications Plugin versions 2.0.0 through 2.2.0 **Description** A potential Server-Side Request Forgery (SSRF) issue in the OpenSearch Notifications Plugin could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests, exceeding the plugin's intended scope. The issue affects the plugin's ability to send notifications via various channels, including Email, Slack, Amazon Chime, and Custom web-hook. **Recommendations** For OpenSearch Notifications Plugin versions 2.0.0 through 2.2.0, update to OpenSearch 2.2.1 or later to resolve the issue. At the moment, there is no information about other workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensearch-ruby versions prior to 2.0.1 **Description** The issue is related to the use of the ruby `YAML.load` function instead of `YAML.safe load` in opensearch-ruby, which can lead to unsafe deserialization using `YAML.load` if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. **Recommendations** For versions prior to 2.0.1, upgrade to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of YAML responses until the issue is resolved. Restrict access to opensearch servers to minimize the risk of exploitation.