CVE-2023-25806

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenSearch Security versions prior to 1.3.9 OpenSearch Security versions prior to 2.6.0

Description OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication, and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs.

Recommendations For versions prior to 1.3.9, update to version 1.3.9 or later. For versions prior to 2.6.0, update to version 2.6.0 or later. As there are no workarounds, applying the patch is the recommended course of action.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-208

Related Identifiers

BDU:2025-04194

CVE-2023-25806

GHSA-C6WG-CM5X-RQVJ

Affected Products

Opensearch Security

Red Os

CVE-2023-25806

Weakness Enumeration

Related Identifiers

Affected Products

References · 13