OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.
References
Link | Resource |
---|---|
https://github.com/opensearch-project/notifications/pull/496 | Patch Third Party Advisory |
https://github.com/opensearch-project/notifications/pull/507 | Patch Third Party Advisory |
https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw | Third Party Advisory |
https://github.com/opensearch-project/notifications/pull/496 | Patch Third Party Advisory |
https://github.com/opensearch-project/notifications/pull/507 | Patch Third Party Advisory |
https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw | Third Party Advisory |
Configurations
History
21 Nov 2024, 07:24
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/opensearch-project/notifications/pull/496 - Patch, Third Party Advisory | |
References | () https://github.com/opensearch-project/notifications/pull/507 - Patch, Third Party Advisory | |
References | () https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw - Third Party Advisory |
25 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:amazon:opensearch_notifications:*:*:*:*:*:docker:*:* | |
CWE | CWE-918 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.7 |
References | (MISC) https://github.com/opensearch-project/notifications/pull/496 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/opensearch-project/notifications/pull/507 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw - Third Party Advisory | |
Summary | OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. |
11 Nov 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-11 19:15
Updated : 2024-11-21 07:24
NVD link : CVE-2022-41906
Mitre link : CVE-2022-41906
CVE.ORG link : CVE-2022-41906
JSON object : View
Products Affected
amazon
- opensearch_notifications
CWE
CWE-918
Server-Side Request Forgery (SSRF)