CVE-2024-39900

OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
Configurations

Configuration 1 (hide)

cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - Patch () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - Patch
References () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - Third Party Advisory () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - Third Party Advisory
References () https://opensearch.org/versions/opensearch-2-14-0.html - Product () https://opensearch.org/versions/opensearch-2-14-0.html - Product

20 Sep 2024, 12:40

Type Values Removed Values Added
First Time Opensearch
Opensearch observability
CPE cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*
References () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - Patch
References () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - Third Party Advisory
References () https://opensearch.org/versions/opensearch-2-14-0.html - () https://opensearch.org/versions/opensearch-2-14-0.html - Product

11 Jul 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) Los informes de OpenSearch Dashboards permiten que el "Report Owner" exporte y comparta informes desde OpenSearch Dashboards. Un problema en el complemento de informes OpenSearch permite el acceso no deseado a recursos privados de inquilinos, como cuadernos. El sistema no verificó adecuadamente si el usuario era el autor del recurso al acceder a recursos en un inquilino privado, lo que llevó a que se revelaran posibles datos. Los parches están incluidos en OpenSearch 2.14.

09 Jul 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-09 22:15

Updated : 2024-11-21 09:28


NVD link : CVE-2024-39900

Mitre link : CVE-2024-39900

CVE.ORG link : CVE-2024-39900


JSON object : View

Products Affected

opensearch

  • observability
CWE
CWE-639

Authorization Bypass Through User-Controlled Key