Issue with whitespace in JWT roles in OpenSearch
CVE-2023-23612

4.7MEDIUM

Key Information:

Vendor: Opensearch-project
Status: Security
Vendor: CVE Published:; 26 January 2023

🔔 Create Opensearch-project Vulnerability Alert

What is CVE-2023-23612?

OpenSearch, an open-source distributed search engine, has a vulnerability in its handling of JSON Web Tokens (JWTs) that can lead to unauthorized role claims. The flaw occurs due to improper processing of role claims, where leading and trailing whitespace is stripped from role names. This allows authenticated users to access roles they are not assigned if there are roles with names that match the whitespace-stripped versions of the roles they hold. Exploitation of this vulnerability necessitates that the identity provider permits whitespace in role names, and users must either have roles that can be misrepresented or are allowed to create such roles themselves. To mitigate this risk, users are strongly recommended to upgrade to OpenSearch version 1.3.8 or 2.5.0, as no workarounds are available.

Affected Version(s)

security >= 2.0.0, < 2.5.0 < 2.0.0, 2.5.0

security < 1.3.8 < 1.3.8

References

https://github.com/opensearch-project/security/security/a...

x_refsource_CONFIRM

https://github.com/opensearch-project/OpenSearch/releases...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 16, 2023