Name of the Vulnerable Software and Affected Versions OpenSearch versions prior to 3.0.0 OpenSearch versions 2.19.2 and earlier

Description OpenSearch improperly applies field masking rules to ip, geo point, geo shape, xy point, and xy shape field types. While the content of these fields is redacted in the source document returned by search operations, the original unredacted values remain available to search queries, allowing reconstruction of the original field contents using range queries. Additionally, the content of geo point, geo shape, xy point, and xy shape fields is returned unredacted when requested via the fields option of the search API.

Recommendations Upgrade to OpenSearch version 3.0.0 or later. Upgrade to OpenSearch version 2.19.3 or later. If immediate upgrade is not possible, use field level security (FLS) protection on affected field types instead of field masking.