Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25806

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

Published

2023-03-02T04:15:10.987

Last Modified

2024-11-21T07:50:14.317

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-208
Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	amazon	opensearch	< 1.3.9	Yes
Application	amazon	opensearch	< 2.6.0	Yes
Application	amazon	opensearch_security	< 1.3.9	Yes
Application	amazon	opensearch_security	< 2.6.0	Yes

References

https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj Vendor Advisory ([email protected])
https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)