CWE
281
Advisory Published
Advisory Published
Updated

CVE-2023-45807: OpenSearch Issue with tenant read-only permissions

First published: Mon Oct 16 2023(Updated: )

### Impact There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. ### Mitigation This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue. ### For more information If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.opensearch.plugin:opensearch-security<1.3.14.0
1.3.14.0
maven/org.opensearch.plugin:opensearch-security>=2.0.0.0<2.11.0.0
2.11.0.0
Amazon Opensearch<1.3.14.0
Amazon Opensearch<1.3.14.0
Amazon Opensearch>=2.0.0<2.11.0.0
Amazon Opensearch>=2.0.0<2.11.0.0
<1.3.14.0
<1.3.14.0
>=2.0.0<2.11.0.0
>=2.0.0<2.11.0.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the impact of CVE-2023-45807?

    Authenticated users with read-only access to a tenant can perform create, edit, and delete operations on index metadata of dashboards and visualizations in that tenant.

  • Which software is affected by CVE-2023-45807?

    The affected software includes OpenSearch Dashboards with OpenSearch Security plugin versions 1.3.14.0 and 2.0.0.0 to 2.11.0.0.

  • What is the severity of CVE-2023-45807?

    The severity of CVE-2023-45807 is medium with a CVSS v3 score of 5.4.

  • How can I fix CVE-2023-45807?

    Update the OpenSearch Security plugin to version 1.3.14.0 or versions 2.0.0.0 to 2.11.0.0 to address the vulnerability.

  • Where can I find more information about CVE-2023-45807?

    You can find more information about CVE-2023-45807 at the following references: [GitHub Advisory](https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-45807), [GitHub Advisory](https://github.com/advisories/GHSA-72q2-gwwf-6hrv).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203