OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
References
Configurations
History
21 Nov 2024, 09:28
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - Patch | |
References | () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - Third Party Advisory | |
References | () https://opensearch.org/versions/opensearch-2-14-0.html - Product | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.2 |
20 Sep 2024, 12:33
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - Patch | |
References | () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - Third Party Advisory | |
References | () https://opensearch.org/versions/opensearch-2-14-0.html - Product | |
CPE | cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
First Time |
Opensearch
Opensearch observability |
18 Jul 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.2 |
11 Jul 2024, 13:05
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
09 Jul 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-09 22:15
Updated : 2024-11-21 09:28
NVD link : CVE-2024-39901
Mitre link : CVE-2024-39901
CVE.ORG link : CVE-2024-39901
JSON object : View
Products Affected
opensearch
- observability
CWE
CWE-639
Authorization Bypass Through User-Controlled Key