CVE-2022-41906 HIGH

CVE-2022-41906: OpenSearch Notifications is vulnerable to Server-Side Request Forgery (SSRF)

Vendor Opensearch-Project
Product notifications
Weakness CWE-918 · SSRF
Published November 11, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.

Key dates

02Disclosure timeline

November 11, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-13904 Platform.ly for WooCommerce <= 1.1.6 - Unauthenticated Blind Server-Side Request Forgery CVE-2023-53893 Ateme TITAN File 3.9 Authenticated Server-Side Request Forgery Vulnerability CVE-2024-39598 [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) CVE-2025-10735 Block For Mailchimp – Easy Mailchimp Form Integration <= 1.1.12 - Unauthenticated Blind Server-Side Request Forgery CVE-2024-55910 IBM Concert Software server-side request forgery