CVE-2023-23613 - Vulnerability Details - OpenCVE

OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Amazon	Opensearch

Configuration 1 [-]

OR	cpe:2.3:a:amazon:opensearch::::::-::*
	cpe:2.3:a:amazon:opensearch::::::-::*

No data.

References

Link	Providers
https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0
https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6

History

Mon, 10 Mar 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-24T20:33:55.673Z

Updated: 2025-03-10T21:20:32.391Z

Reserved: 2023-01-16T17:07:46.242Z

Link: CVE-2023-23613

Vulnrichment

Updated: 2024-08-02T10:35:33.607Z

NVD

Status : Modified

Published: 2023-01-26T21:18:14.900

Modified: 2024-11-21T07:46:32.080

Link: CVE-2023-23613

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.242Z", "datePublished": "2023-01-24T20:33:55.673Z", "dateUpdated": "2025-03-10T21:20:32.391Z"}, "containers": {"cna": {"title": "Field-level security issue with .keyword fields in OpenSearch", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}, {"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}], "affected": [{"vendor": "opensearch-project", "product": "security", "versions": [{"version": ">= 2.0.0, < 2.5.0", "status": "affected"}, {"version": "< 1.3.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-24T20:33:55.673Z"}, "descriptions": [{"lang": "en", "value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."}], "source": {"advisory": "GHSA-v3cg-7r9h-r2g6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.607Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}, {"name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T20:59:33.987118Z", "id": "CVE-2023-23613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:20:32.391Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.607Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-23613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T20:59:33.987118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T20:59:35.366Z"}}], "cna": {"title": "Field-level security issue with .keyword fields in OpenSearch", "source": {"advisory": "GHSA-v3cg-7r9h-r2g6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opensearch-project", "product": "security", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.5.0"}, {"status": "affected", "version": "< 1.3.8"}]}], "references": [{"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "name": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "name": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-24T20:33:55.673Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23613", "state": "PUBLISHED", "dateUpdated": "2025-03-10T21:20:32.391Z", "dateReserved": "2023-01-16T17:07:46.242Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-01-24T20:33:55.673Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:opensearch:*:*:*:*:*:-:*:*", "matchCriteriaId": "F78DAC9C-A051-4B4C-AC4F-08A65195A932", "versionEndExcluding": "1.3.8", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:opensearch:*:*:*:*:*:-:*:*", "matchCriteriaId": "F032A171-FC92-43EF-9B04-E65EFDAC4F9D", "versionEndExcluding": "2.5.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue."}, {"lang": "es", "value": "OpenSearch es un motor de b\u00fasqueda RESTful y distribuido de c\u00f3digo abierto. En las versiones afectadas hay un problema en la implementaci\u00f3n de la seguridad a nivel de campo (FLS) y el enmascaramiento de campos donde las reglas escritas para excluir campos expl\u00edcitamente no se aplican correctamente para ciertas consultas que dependen de sus campos .keyword generados autom\u00e1ticamente. Este problema solo est\u00e1 presente para usuarios autenticados con acceso de lectura a los \u00edndices que contienen los campos restringidos. Esto puede exponer datos a los que de otra manera el usuario no podr\u00eda acceder. OpenSearch 1.0.0-1.3.7 y 2.0.0-2.4.1 se ven afectados. Se recomienda a los usuarios que actualicen a OpenSearch 1.3.8 o 2.5.0. Los usuarios que no puedan actualizar pueden escribir reglas de exclusi\u00f3n expl\u00edcitas Como workaround. Las pol\u00edticas creadas de esta manera no est\u00e1n sujetas a esta cuesti\u00f3n."}], "id": "CVE-2023-23613", "lastModified": "2024-11-21T07:46:32.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-26T21:18:14.900", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}