CVE-2022-41918 MEDIUM

CVE-2022-41918: Issue with fine-grained access control of indices backing data streams

Vendor Opensearch-Project
Product security
Weakness CWE-863 · Incorrect authorization
Published November 15, 2022
Last update April 23, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

November 15, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE