CVE-2024-39901

Name of the Vulnerable Software and Affected Versions OpenSearch versions prior to 2.14

Description An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. This lack of proper access control validation can lead to unintended data access, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance.

Recommendations For versions prior to 2.14, update to OpenSearch 2.14 to resolve the issue. As a temporary workaround, consider restricting access to private tenant resources to minimize the risk of exploitation. Avoid sharing private tenant resource IDs, such as notebook IDs, with unauthorized users to prevent potential data access.