Issue in Anomaly Detection with document and field level rules in numerical feature aggregations
CVE-2023-23933

4.3MEDIUM

Key Information:

Vendor: Opensearch-project
Status: Anomaly-detection
Vendor: CVE Published:; 3 February 2023

🔔 Create Opensearch-project Vulnerability Alert

What is CVE-2023-23933?

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

Affected Version(s)

anomaly-detection >= 1.0.0, < 1.3.8 < 1.0.0, 1.3.8

anomaly-detection >= 2.0.0, < 2.6.0 < 2.0.0, 2.6.0

References

https://github.com/opensearch-project/anomaly-detection/s...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Jan 19, 2023