Time discrepancy in authentication responses in OpenSearch
CVE-2023-25806

5.3MEDIUM

Key Information:

Vendor

Opensearch-project

Status
Security
Vendor
CVE Published:
2 March 2023

What is CVE-2023-25806?

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

Affected Version(s)

security < 1.3.9 < 1.3.9

security >= 2.0.0, < 2.6.0 < 2.0.0, 2.6.0

References

https://github.com/opensearch-project/security/security/a...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.