CVE-2022-35980

Name of the Vulnerable Software and Affected Versions OpenSearch Security versions 2.0.0.0 through 2.1.0.0

Description The issue concerns an information disclosure vulnerability in OpenSearch Security, a plugin for OpenSearch that provides encryption, authentication, and authorization. When an OpenSearch cluster is configured with advanced access control features such as document level security (DLS), field level security (FLS), and/or field masking, requests will not be filtered if the query's search pattern matches an aliased index. Since OpenSearch Dashboards creates an alias to .kibana by default, filters with the index pattern of * to restrict access to documents or fields will not be applied, allowing requests to access sensitive information despite access restrictions.

Recommendations For versions 2.0.0.0 and 2.1.0.0, update to OpenSearch Security 2.2.0.0, which is compatible with OpenSearch 2.2.0 and contains the fix for this issue. As a temporary workaround, consider restricting access to the .kibana alias to minimize the risk of exploitation. Avoid using the index pattern of * in filters to restrict access to documents or fields until the issue is resolved.