CVE-2023-31141 MEDIUM

CVE-2023-31141: OpenSearch issue with fine-grained access control during extremely rare race conditions

Vendor Opensearch-Project
Product security
Weakness CWE-863 · Incorrect authorization
Published May 8, 2023
Last update January 29, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.

Key dates

02Disclosure timeline

May 8, 2023 CVE published
January 29, 2025 Record updated