cvelistv5 - cve-2024-39900

CVE-2024-39900 (GCVE-0-2024-39900)

Vulnerability from cvelistv5 – Published: 2024-07-09 21:17 – Updated: 2024-08-02 04:33

Summary

OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opensearch-project/reporting/s…	x_refsource_CONFIRM
	https://github.com/opensearch-project/reporting/c…	x_refsource_MISC
	https://opensearch.org/versions/opensearch-2-14-0.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opensearch-project	reporting	Affected: < 2.14.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-10T16:28:44.073264Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T20:49:15.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:33:11.516Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q"
          },
          {
            "name": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992"
          },
          {
            "name": "https://opensearch.org/versions/opensearch-2-14-0.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://opensearch.org/versions/opensearch-2-14-0.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "reporting",
          "vendor": "opensearch-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.14.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenSearch Dashboards Reports allows \u2018Report Owner\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-09T21:17:21.652Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q"
        },
        {
          "name": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992"
        },
        {
          "name": "https://opensearch.org/versions/opensearch-2-14-0.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://opensearch.org/versions/opensearch-2-14-0.html"
        }
      ],
      "source": {
        "advisory": "GHSA-xmvg-335g-x44q",
        "discovery": "UNKNOWN"
      },
      "title": "OpenSearch Dashboards Reports does not properly restrict access to private tenant resources"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-39900",
    "datePublished": "2024-07-09T21:17:21.652Z",
    "dateReserved": "2024-07-02T19:37:18.599Z",
    "dateUpdated": "2024-08-02T04:33:11.516Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.14\", \"matchCriteriaId\": \"A0A26A7A-D86D-48F6-A48F-83FA71FEFE7A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OpenSearch Dashboards Reports allows \\u2018Report Owner\\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.\"}, {\"lang\": \"es\", \"value\": \"Los informes de OpenSearch Dashboards permiten que el \\\"Report Owner\\\" exporte y comparta informes desde OpenSearch Dashboards. Un problema en el complemento de informes OpenSearch permite el acceso no deseado a recursos privados de inquilinos, como cuadernos. El sistema no verific\\u00f3 adecuadamente si el usuario era el autor del recurso al acceder a recursos en un inquilino privado, lo que llev\\u00f3 a que se revelaran posibles datos. Los parches est\\u00e1n incluidos en OpenSearch 2.14.\"}]",
      "id": "CVE-2024-39900",
      "lastModified": "2024-11-21T09:28:31.610",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
      "published": "2024-07-09T22:15:03.243",
      "references": "[{\"url\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39900\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-09T22:15:03.243\",\"lastModified\":\"2024-11-21T09:28:31.610\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSearch Dashboards Reports allows \u2018Report Owner\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.\"},{\"lang\":\"es\",\"value\":\"Los informes de OpenSearch Dashboards permiten que el \\\"Report Owner\\\" exporte y comparta informes desde OpenSearch Dashboards. Un problema en el complemento de informes OpenSearch permite el acceso no deseado a recursos privados de inquilinos, como cuadernos. El sistema no verific\u00f3 adecuadamente si el usuario era el autor del recurso al acceder a recursos en un inquilino privado, lo que llev\u00f3 a que se revelaran posibles datos. Los parches est\u00e1n incluidos en OpenSearch 2.14.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.14\",\"matchCriteriaId\":\"A0A26A7A-D86D-48F6-A48F-83FA71FEFE7A\"}]}]}],\"references\":[{\"url\":\"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://opensearch.org/versions/opensearch-2-14-0.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://opensearch.org/versions/opensearch-2-14-0.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"name\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"name\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"name\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:33:11.516Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39900\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-10T16:28:44.073264Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-10T16:29:47.164Z\"}}], \"cna\": {\"title\": \"OpenSearch Dashboards Reports does not properly restrict access to private tenant resources\", \"source\": {\"advisory\": \"GHSA-xmvg-335g-x44q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"opensearch-project\", \"product\": \"reporting\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.14.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"name\": \"https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"name\": \"https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"name\": \"https://opensearch.org/versions/opensearch-2-14-0.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSearch Dashboards Reports allows \\u2018Report Owner\\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-09T21:17:21.652Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39900\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:33:11.516Z\", \"dateReserved\": \"2024-07-02T19:37:18.599Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-09T21:17:21.652Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

WID-SEC-W-2024-1675

Vulnerability from csaf_certbund - Published: 2024-07-18 22:00 - Updated: 2024-07-18 22:00

Summary

OpenSearch: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

OpenSearch ist ein Open-Source-Softwarepaket für Such-, Analyse- und Beobachtungsanwendungen.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OpenSearch ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "OpenSearch ist ein Open-Source-Softwarepaket f\u00fcr Such-, Analyse- und Beobachtungsanwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OpenSearch ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1675 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1675.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1675 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1675"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-07-18",
        "url": "https://github.com/advisories/GHSA-xmvg-335g-x44q"
      }
    ],
    "source_lang": "en-US",
    "title": "OpenSearch: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2024-07-18T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:11:36.471+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1675",
      "initial_release_date": "2024-07-18T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-07-18T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.14.0.0",
                "product": {
                  "name": "Open Source OpenSearch \u003c2.14.0.0",
                  "product_id": "T036364"
                }
              }
            ],
            "category": "product_name",
            "name": "OpenSearch"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-39900",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle im Reporting-Plugin in OpenSearch aufgrund einer unsachgem\u00e4\u00dfen Validierung der Zugriffskontrolle, die einen unbeabsichtigten Zugriff auf private Mandantenressourcen erm\u00f6glicht. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-07-18T22:00:00.000+00:00",
      "title": "CVE-2024-39900"
    }
  ]
}

GHSA-XMVG-335G-X44Q

Vulnerability from github – Published: 2024-07-18 15:22 – Updated: 2024-07-18 15:22

Summary

The OpenSearch reporting plugin improperly controls tenancy access to reporting resources

Details

Summary

An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed.

Impact

The lack of proper access control validation for private tenant resources in the OpenSearch observability and reporting plugins can lead to unintended data access. If an authorized user with observability or reporting roles is aware of another user's private tenant resource ID, such as a notebook, they can potentially read, modify, or take ownership of that resource, despite not being the original author, thus impacting the confidentiality and integrity of private tenant resources. The impact is confined to private tenant resources, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance, potentially violating the intended separation of access. This issue does not alter the scope of access but highlights a flaw in the existing access control mechanisms.

Impacted versions <= 2.13

Patches

The patches are included in OpenSearch 2.14

Workarounds

None

References

OpenSearch 2.14 is available for download at https://opensearch.org/versions/opensearch-2-14-0.html

The latest version of OpenSearch is available for download at https://opensearch.org/downloads.html

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-reports-scheduler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T15:22:02Z",
    "nvd_published_at": "2024-07-09T22:15:03Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed.\n\n### Impact\n\nThe lack of proper access control validation for private tenant resources in the OpenSearch observability and reporting plugins can lead to unintended data access. If an authorized user with observability or reporting roles is aware of another user\u0027s private tenant resource ID, such as a notebook, they can potentially read, modify, or take ownership of that resource, despite not being the original author, thus impacting the confidentiality and integrity of private tenant resources. The impact is confined to private tenant resources, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance, potentially violating the intended separation of access. This issue does not alter the scope of access but highlights a flaw in the existing access control mechanisms.\n\nImpacted versions \u003c= 2.13\n\n### Patches\n\nThe patches are included in OpenSearch 2.14\n\n### Workarounds\n\nNone\n\n### References\n\nOpenSearch 2.14 is available for download at https://opensearch.org/versions/opensearch-2-14-0.html\n\nThe latest version of OpenSearch is available for download at https://opensearch.org/downloads.html",
  "id": "GHSA-xmvg-335g-x44q",
  "modified": "2024-07-18T15:22:03Z",
  "published": "2024-07-18T15:22:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/reporting"
    },
    {
      "type": "WEB",
      "url": "https://opensearch.org/versions/opensearch-2-14-0.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "The OpenSearch reporting plugin improperly controls tenancy access to reporting resources"
}

FKIE_CVE-2024-39900

Vulnerability from fkie_nvd - Published: 2024-07-09 22:15 - Updated: 2024-11-21 09:28

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992	Patch
security-advisories@github.com	https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q	Third Party Advisory
security-advisories@github.com	https://opensearch.org/versions/opensearch-2-14-0.html	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://opensearch.org/versions/opensearch-2-14-0.html	Product

Impacted products

	Vendor	Product	Version
	opensearch	observability	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0A26A7A-D86D-48F6-A48F-83FA71FEFE7A",
              "versionEndExcluding": "2.14",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenSearch Dashboards Reports allows \u2018Report Owner\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14."
    },
    {
      "lang": "es",
      "value": "Los informes de OpenSearch Dashboards permiten que el \"Report Owner\" exporte y comparta informes desde OpenSearch Dashboards. Un problema en el complemento de informes OpenSearch permite el acceso no deseado a recursos privados de inquilinos, como cuadernos. El sistema no verific\u00f3 adecuadamente si el usuario era el autor del recurso al acceder a recursos en un inquilino privado, lo que llev\u00f3 a que se revelaran posibles datos. Los parches est\u00e1n incluidos en OpenSearch 2.14."
    }
  ],
  "id": "CVE-2024-39900",
  "lastModified": "2024-11-21T09:28:31.610",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-09T22:15:03.243",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://opensearch.org/versions/opensearch-2-14-0.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://opensearch.org/versions/opensearch-2-14-0.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-39900 (GCVE-0-2024-39900)

WID-SEC-W-2024-1675

GHSA-XMVG-335G-X44Q

Summary

Impact

Patches

Workarounds

References

FKIE_CVE-2024-39900

Tags

Sightings

Nomenclature