CVE-2022-35980

Description

### Impact Requests to an OpenSearch cluster configured with advanced access control features ([document level security (DLS)](https://opensearch.org/docs/latest/security-plugin/access-control/document-level-security/), [field level security (FLS)](https://opensearch.org/docs/latest/security-plugin/access-control/field-level-security/), and/or [field masking](https://opensearch.org/docs/latest/security-plugin/access-control/field-masking/)) will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. ### Patches OpenSearch 2.2.0+ contains the fix for this issue. OpenSearch Security Plugin 2.2.0.0 is compatible with OpenSearch 2.2.0. ### Workarounds There is no recommended work around. ### References See pull request #1999 for additional details. ### For more information If you have any questions or comments about this advisory we ask that contact AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [email protected]. Please do **not** create a public GitHub issue.

Affected packages (1)

• Maven/org.opensearch.plugin:opensearch-security>= 2.0.0.0, < 2.2.0.0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-35980
• PATCHhttps://github.com/opensearch-project/security
• WEBhttps://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246
• WEBhttps://github.com/opensearch-project/security/pull/1999
• WEBhttps://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw