CVE-2022-41917
Last modified
CVE-2022-41917 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. EPSS estimates a 0.52% chance of exploitation in the next 30 days.
Description
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Opensearch | >= 1.0.0, < 1.3.7 |
| Amazon | Opensearch | >= 2.0.0, < 2.4.0 |
References
- https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0Patch, Third Party Advisory
- https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-41917?
How severe is CVE-2022-41917?
How do I fix CVE-2022-41917?
Are you affected by CVE-2022-41917?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST