CVE-2023-23933 MEDIUM

CVE-2023-23933: Issue in Anomaly Detection with document and field level rules in numerical feature aggregations

Vendor Opensearch-Project

Product anomaly-detection

Weakness CWE-125

Published February 3, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

5.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

February 3, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-23933 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/125.html

Related vulnerabilities

Identifiers

CVE CVE-2023-23933

CWE CWE-125

CVSS 5.7 / MEDIUM

Affected versions

Vendor Opensearch-Project

Product anomaly-detection

Affected >= 1.0.0, < 1.3.8

Vendor Opensearch-Project

Product anomaly-detection

Affected >= 2.0.0, < 2.6.0

CVE-2023-23933: Issue in Anomaly Detection with document and field level rules in numerical feature aggregations

01Description

02Disclosure timeline

03References

04Related CVE