Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41906

OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.

Published

2022-11-11T19:15:11.613

Last Modified

2024-11-21T07:24:02.417

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.7 (HIGH)

Weaknesses

Type: Secondary
CWE-918
Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	amazon	opensearch_notifications	< 2.2.1.0	Yes

References

https://github.com/opensearch-project/notifications/pull/496 Patch, Third Party Advisory ([email protected])
https://github.com/opensearch-project/notifications/pull/507 Patch, Third Party Advisory ([email protected])
https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw Third Party Advisory ([email protected])
https://github.com/opensearch-project/notifications/pull/496 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/opensearch-project/notifications/pull/507 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)