OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.
References
| Link | Resource |
|---|---|
| https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv | Vendor Advisory |
| https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:27
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv - Vendor Advisory |
20 Oct 2023, 18:29
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv - Vendor Advisory | |
| First Time |
Amazon opensearch
Amazon |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| CPE | cpe:2.3:a:amazon:opensearch:*:*:*:*:*:docker:*:* cpe:2.3:a:amazon:opensearch:*:*:*:*:*:maven:*:* |
16 Oct 2023, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-10-16 22:15
Updated : 2024-11-21 08:27
NVD link : CVE-2023-45807
Mitre link : CVE-2023-45807
CVE.ORG link : CVE-2023-45807
JSON object : View
Products Affected
amazon
- opensearch
CWE
CWE-281
Improper Preservation of Permissions