CVE-2022-41917
Summary
| CVE | CVE-2022-41917 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-11-16 00:15:00 UTC |
| Updated | 2023-07-10 16:48:00 UTC |
| Description | OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue. |
Risk And Classification
Problem Types: CWE-755
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Amazon | Opensearch | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Merge pull request from GHSA-w3rx-m34v-wrqx · opensearch-project/OpenSearch@6d20423 · GitHub | MISC | github.com | |
| Incorrect Error Handling Allowed Partial File Reads Over REST API · Advisory · opensearch-project/OpenSearch · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.