CVE-2024-39901

EPSS 0.24%
Veröffentlicht 09.07.2024 22:15:03
Zuletzt bearbeitet 21.11.2024 09:28:31
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensearch ≫ Observability Version < 2.14

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.467

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://opensearch.org/versions/opensearch-2-14-0.html

Product

https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e

Patch

https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-39901

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39901

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39901

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-39901