CVE-2023-23613 - OpenCVE

Vendors	Products
Amazon	Opensearch

Link	Providers
https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0
https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.242Z", "datePublished": "2023-01-24T20:33:55.673Z", "dateUpdated": "2024-08-02T10:35:33.607Z"}, "containers": {"cna": {"title": "Field-level security issue with .keyword fields in OpenSearch", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}, {"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}], "affected": [{"vendor": "opensearch-project", "product": "security", "versions": [{"version": ">= 2.0.0, < 2.5.0", "status": "affected"}, {"version": "< 1.3.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-24T20:33:55.673Z"}, "descriptions": [{"lang": "en", "value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."}], "source": {"advisory": "GHSA-v3cg-7r9h-r2g6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.607Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}, {"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:opensearch:*:*:*:*:*:-:*:*", "matchCriteriaId": "F78DAC9C-A051-4B4C-AC4F-08A65195A932", "versionEndExcluding": "1.3.8", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:opensearch:*:*:*:*:*:-:*:*", "matchCriteriaId": "F032A171-FC92-43EF-9B04-E65EFDAC4F9D", "versionEndExcluding": "2.5.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."}, {"lang": "es", "value": "OpenSearch es un motor de b\u00fasqueda RESTful y distribuido de c\u00f3digo abierto. En las versiones afectadas hay un problema en la implementaci\u00f3n de la seguridad a nivel de campo (FLS) y el enmascaramiento de campos donde las reglas escritas para excluir campos expl\u00edcitamente no se aplican correctamente para ciertas consultas que dependen de sus campos .keyword generados autom\u00e1ticamente. Este problema solo est\u00e1 presente para usuarios autenticados con acceso de lectura a los \u00edndices que contienen los campos restringidos. Esto puede exponer datos a los que de otra manera el usuario no podr\u00eda acceder. OpenSearch 1.0.0-1.3.7 y 2.0.0-2.4.1 se ven afectados. Se recomienda a los usuarios que actualicen a OpenSearch 1.3.8 o 2.5.0. Los usuarios que no puedan actualizar pueden escribir reglas de exclusi\u00f3n expl\u00edcitas Como workaround. Las pol\u00edticas creadas de esta manera no est\u00e1n sujetas a esta cuesti\u00f3n."}], "id": "CVE-2023-23613", "lastModified": "2023-02-02T17:54:33.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:14.900", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object