Cwperks

**Name of the Vulnerable Software and Affected Versions** OpenSearch Data Prepper versions 2.1.0 through 2.10.1 **Description** A vulnerability exists in the OpenTelemetry Logs source in Data Prepper where some custom authentication plugins will not perform authentication, allowing unauthorized users to ingest OpenTelemetry Logs data under certain conditions. This issue does not affect the built-in `http basic` authentication provider in Data Prepper. The vulnerability exists only for custom implementations of Data Prepper’s `GrpcAuthenticationProvider` authentication plugin which implement the `getHttpAuthenticationService()` method instead of `getAuthenticationInterceptor()`. **Recommendations** For versions 2.1.0 through 2.10.1, consider upgrading to Data Prepper 2.10.2, which contains a fix for this issue. As a temporary workaround, use the built-in `http basic` authentication provider in Data Prepper. Add an authentication proxy in front of Data Prepper instances running the OpenTelemetry Logs source to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSearch Dashboards Security Plugin versions prior to 1.3.19 OpenSearch Dashboards Security Plugin versions prior to 2.16.0 **Description** The issue is related to improper validation of the `nextUrl` parameter, which can lead to an external redirect during login, potentially compromising security. This could allow a remote attacker to redirect a user to a malicious site. **Recommendations** For versions prior to 1.3.19, update to version 1.3.19 to mitigate the risk. For versions prior to 2.16.0, update to version 2.16.0 to mitigate the risk. As a temporary workaround, consider restricting access to the `nextUrl` parameter in the login functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 2.14 **Description** An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. This can lead to unauthorized users reading, modifying, or taking ownership of private resources, impacting the confidentiality and integrity of private tenant resources. **Recommendations** For versions prior to 2.14, update to OpenSearch 2.14 to resolve the issue. As a temporary workaround, consider restricting access to private tenant resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSearch versions prior to 2.14 **Description** An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. This lack of proper access control validation can lead to unintended data access, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance. **Recommendations** For versions prior to 2.14, update to OpenSearch 2.14 to resolve the issue. As a temporary workaround, consider restricting access to private tenant resources to minimize the risk of exploitation. Avoid sharing private tenant resource IDs, such as notebook IDs, with unauthorized users to prevent potential data access.