Name of the Vulnerable Software and Affected Versions opensearch versions prior to 2.19.0 opensearch-ingest-attachment-plugin (affected versions not specified) opensearch-mapper-annotated-text-plugin (affected versions not specified) opensearch-mapper-murmur3-plugin (affected versions not specified) opensearch-mapper-size-plugin (affected versions not specified) opensearch-repository-hdfs-plugin (affected versions not specified) opensearch-repository-s3-plugin (affected versions not specified) opensearch-store-mb-plugin (affected versions not specified) opensearch-transport-nio-plugin (affected versions not specified)

Description A flaw in the REST layer allows authorization checks to be bypassed when processing certain malformed HTTP requests. This can lead to unauthorized access to restricted API endpoints in environments relying on REST-layer authorization. The default distribution is not affected because its REST actions have corresponding transport actions that independently enforce authorization. However, custom plugins that register REST actions without a corresponding transport action may be affected, potentially allowing unauthorized read access to those endpoints. Transport-level authorization remains unaffected.

Recommendations Upgrade to version 2.19.0 or later. At the moment, there is no information about a newer version that contains a fix for the specified plugins.