CVE-2024-39901

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
Configurations

Configuration 1 (hide)

cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - Patch () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - Patch
References () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - Third Party Advisory () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - Third Party Advisory
References () https://opensearch.org/versions/opensearch-2-14-0.html - Product () https://opensearch.org/versions/opensearch-2-14-0.html - Product
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 4.2

20 Sep 2024, 12:33

Type Values Removed Values Added
References () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - () https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e - Patch
References () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - () https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33 - Third Party Advisory
References () https://opensearch.org/versions/opensearch-2-14-0.html - () https://opensearch.org/versions/opensearch-2-14-0.html - Product
CPE cpe:2.3:a:opensearch:observability:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 4.2
v2 : unknown
v3 : 5.4
First Time Opensearch
Opensearch observability

18 Jul 2024, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 4.2

11 Jul 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) OpenSearch Observability es una colección de complementos y aplicaciones que visualizan eventos basados en datos. Un problema en los complementos de OpenSearch observability permite el acceso no deseado a recursos privados de inquilinos, como cuadernos. El sistema no verificó adecuadamente si el usuario era el autor del recurso al acceder a recursos en un inquilino privado, lo que llevó a que se revelaran posibles datos. Los parches están incluidos en OpenSearch 2.14.

09 Jul 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-09 22:15

Updated : 2024-11-21 09:28


NVD link : CVE-2024-39901

Mitre link : CVE-2024-39901

CVE.ORG link : CVE-2024-39901


JSON object : View

Products Affected

opensearch

  • observability
CWE
CWE-639

Authorization Bypass Through User-Controlled Key