CVE-2022-41918

Name of the Vulnerable Software and Affected Versions OpenSearch versions prior to 1.3.7 OpenSearch versions prior to 2.4.0

Description There is an issue with the implementation of fine-grained access control rules, including document-level security, field-level security, and field masking, where they are not correctly applied to the indices that back data streams. This potentially leads to incorrect access authorization. The issue can only be triggered by authenticated users authorized to read those data streams which are backed by the impacted indexes. Existing privileged users cannot access random indexes within these clusters; they can only access indexes to which they have already been granted permission.

Recommendations For versions prior to 1.3.7, update to OpenSearch 1.3.7 or later. For versions prior to 2.4.0, update to OpenSearch 2.4.0 or later. As a temporary workaround, consider restricting access to sensitive data streams until a patch is applied.