CVE-2024-39900

Name of the Vulnerable Software and Affected Versions OpenSearch versions prior to 2.14

Description An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. This can lead to unauthorized users reading, modifying, or taking ownership of private resources, impacting the confidentiality and integrity of private tenant resources.

Recommendations For versions prior to 2.14, update to OpenSearch 2.14 to resolve the issue. As a temporary workaround, consider restricting access to private tenant resources to minimize the risk of exploitation.