Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-23933

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

Published

2023-02-03T20:15:10.637

Last Modified

2024-11-21T07:47:07.823

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-125

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	amazon	opensearch	< 1.3.8	Yes
Application	amazon	opensearch	< 2.6.0	Yes

References

https://github.com/opensearch-project/anomaly-detection/security/advisories/GHSA-47qw-jwpx-pp4c Third Party Advisory ([email protected])
https://github.com/opensearch-project/anomaly-detection/security/advisories/GHSA-47qw-jwpx-pp4c Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)