Name of the Vulnerable Software and Affected Versions OpenSearch versions prior to 3.0.0 OpenSearch versions 2.19.2 and earlier

Description A flaw exists in OpenSearch where Field Level Security (FLS) rules are not correctly applied to fields nested within JSON objects. Specifically, when an FLS exclusion rule is applied to an object, the object itself is removed from search results, but its member attributes remain accessible through range queries, potentially allowing reconstruction of the original field contents.

Recommendations Update to OpenSearch version 3.0.0 or later. Update to OpenSearch version 2.19.3 or later. If using FLS exclusion rules for object valued attributes, add additional exclusion rules for the members of the object.