OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
References
Configurations
History
21 Nov 2024, 09:28
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - Patch | |
References | () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - Third Party Advisory | |
References | () https://opensearch.org/versions/opensearch-2-14-0.html - Product |
20 Sep 2024, 12:40
Type | Values Removed | Values Added |
---|---|---|
First Time |
Opensearch
Opensearch observability |
|
CPE | cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:* | |
References | () https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992 - Patch | |
References | () https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q - Third Party Advisory | |
References | () https://opensearch.org/versions/opensearch-2-14-0.html - Product |
11 Jul 2024, 13:05
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
09 Jul 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-09 22:15
Updated : 2024-11-21 09:28
NVD link : CVE-2024-39900
Mitre link : CVE-2024-39900
CVE.ORG link : CVE-2024-39900
JSON object : View
Products Affected
opensearch
- observability
CWE
CWE-639
Authorization Bypass Through User-Controlled Key