PT-2023-3287 · Unknown+1 · Opensearch+1
Bbarani
·
Published
2023-05-08
·
Updated
2023-06-15
·
CVE-2023-31141
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSearch versions prior to 1.3.10 and 2.7.0
Description
The issue is related to the implementation of fine-grained access control rules, including document-level security, field-level security, and field masking. These rules are not correctly applied to queries during extremely rare race conditions, potentially leading to incorrect access authorization. This issue can be triggered when two concurrent requests land on the same instance exactly when query cache eviction happens, which occurs once every four hours.
Recommendations
For versions prior to 1.3.10, update to version 1.3.10 or later.
For versions prior to 2.7.0, update to version 2.7.0 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opensearch
Red Os