CVE-2024-39901

OpenSearch Observability does not properly restrict access to private tenant resources

CVSS v3.1 4.2 (Medium)
EPSS 0.05 % (24th)
Affected Products 1
Advisories 1

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Base Severity
Medium
Base Score
4.2
Impact Score
2.5
Exploitability Score
1.6
Metrics
Attack Vector (AV) Network
Attack Complexity (AC) High
Privileges Required (PR) Low
User Interaction (UI) None
Scope (S) Unchanged
Confidentiality (C) Low
Integrity (I) Low
Availability (A) None

Weaknesses

# ID Name
CWE-639 Authorization Bypass Through User-Controlled Key

OWASP

# ID Name
A01:2021 Broken Access Control
Modified
CVE Status
PUBLISHED
NVD Status
Modified
CNA
GitHub, Inc.
Published Date
2024-07-09 22:15:03
(6 months ago)
Updated Date
2024-11-21 09:28:31
(2 months ago)

Affected Vendors & Products

Loading...
Loading...

Configuration #1

    CPE v2.3 From Up To
  Opensearch Observability prior 2.14 version cpe:2.3:a:opensearch:observability < 2.14
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...