CVE-2023-23613

Name of the Vulnerable Software and Affected Versions OpenSearch versions 1.0.0 through 1.3.7 OpenSearch versions 2.0.0 through 2.4.1

Description There is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields, which may expose data that would otherwise not be accessible to the user.

Recommendations For OpenSearch versions 1.0.0 through 1.3.7, upgrade to OpenSearch 1.3.8. For OpenSearch versions 2.0.0 through 2.4.1, upgrade to OpenSearch 2.5.0. As a temporary workaround for users unable to upgrade, consider writing explicit exclusion rules to grant explicit access instead, as policies authored in this way are not subject to this issue.