Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.opensearch/opensearch@1.2.0

Type maven

Namespace org.opensearch

Name opensearch

Version 1.2.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.3.14

Latest_non_vulnerable_version 2.11.1

Affected_by_vulnerabilities

url VCID-4sqn-4e9r-fuhu

vulnerability_id VCID-4sqn-4e9r-fuhu

summary OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-23612

reference_id

reference_type

scores

value	0.00188
scoring_system	epss
scoring_elements	0.40508
published_at	2026-06-11T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40675
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-23612

reference_url

https://github.com/opensearch-project/security

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opensearch-project/security

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-23612

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-23612

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054912
reference_id	1054912
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054912

reference_url

https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0

reference_id

2.5.0

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:30Z/

url

https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0

reference_url

https://github.com/advisories/GHSA-864v-6qj7-62qj

reference_id

GHSA-864v-6qj7-62qj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-864v-6qj7-62qj

reference_url

https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj

reference_id

GHSA-864v-6qj7-62qj

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:30Z/

url

https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj

fixed_packages

url pkg:maven/org.opensearch/opensearch@1.3.8

purl pkg:maven/org.opensearch/opensearch@1.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f661-wsgs-6baq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@1.3.8

url pkg:maven/org.opensearch/opensearch@2.5.0

purl pkg:maven/org.opensearch/opensearch@2.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f661-wsgs-6baq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@2.5.0

aliases CVE-2023-23612, GHSA-864v-6qj7-62qj, GMS-2023-117

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4sqn-4e9r-fuhu

url VCID-f661-wsgs-6baq

vulnerability_id VCID-f661-wsgs-6baq

summary

OpenSearch StackOverflow vulnerability
### Impact
A flaw was discovered in OpenSearch, affecting the `_search` API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

The issue was identified by Elastic Engineering and corresponds to security advisory [ESA-2023-14](https://discuss.elastic.co/t/elasticsearch-8-9-1-7-17-13-security-update/343297) (CVE-2023-31419).

### Mitigation
Versions 1.3.14 and 2.11.1 contain a fix for this issue.

### For more information
If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

references

reference_url

https://github.com/opensearch-project/OpenSearch

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opensearch-project/OpenSearch

reference_url

https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-6g3j-p5g6-992f

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-6g3j-p5g6-992f

reference_url

https://github.com/advisories/GHSA-6g3j-p5g6-992f

reference_id

GHSA-6g3j-p5g6-992f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6g3j-p5g6-992f

fixed_packages

url	pkg:maven/org.opensearch/opensearch@1.3.14
purl	pkg:maven/org.opensearch/opensearch@1.3.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@1.3.14

url	pkg:maven/org.opensearch/opensearch@2.11.1
purl	pkg:maven/org.opensearch/opensearch@2.11.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@2.11.1

aliases GHSA-6g3j-p5g6-992f, GMS-2023-5381

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f661-wsgs-6baq

url VCID-kcg7-7fh4-yqe5

vulnerability_id VCID-kcg7-7fh4-yqe5

summary OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-23613

reference_id

reference_type

scores

value	0.00354
scoring_system	epss
scoring_elements	0.58128
published_at	2026-06-11T12:55:00Z

value	0.00354
scoring_system	epss
scoring_elements	0.58241
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-23613

reference_url

https://github.com/opensearch-project/security

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opensearch-project/security

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-23613

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-23613

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054912
reference_id	1054912
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054912

reference_url

https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0

reference_id

2.5.0

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/

url

https://github.com/opensearch-project/OpenSearch/releases/tag/2.5.0

reference_url

https://github.com/advisories/GHSA-v3cg-7r9h-r2g6

reference_id

GHSA-v3cg-7r9h-r2g6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v3cg-7r9h-r2g6

reference_url

https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6

reference_id

GHSA-v3cg-7r9h-r2g6

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/

url

https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6

fixed_packages

url pkg:maven/org.opensearch/opensearch@1.3.8

purl pkg:maven/org.opensearch/opensearch@1.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f661-wsgs-6baq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@1.3.8

url pkg:maven/org.opensearch/opensearch@2.5.0

purl pkg:maven/org.opensearch/opensearch@2.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f661-wsgs-6baq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@2.5.0

aliases CVE-2023-23613, GHSA-v3cg-7r9h-r2g6, GMS-2023-118

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kcg7-7fh4-yqe5

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.opensearch/opensearch@1.2.0

Package Instance