VulnerableCode Package Details - pkg:gem/opensearch@2.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2mte-5ys1-ekbc Aliases: CVE-2022-41918 GHSA-wmx7-x4jp-9jgg	Incorrect Authorization OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.	2.4.0 Affected by 0 other vulnerabilities.
VCID-6gt7-yexx-g7hx Aliases: CVE-2023-23933 GHSA-47qw-jwpx-pp4c	Out-of-bounds Read OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.	2.6.0 Affected by 0 other vulnerabilities.
VCID-bf8j-s11d-4kd8 Aliases: CVE-2023-31141 GHSA-g8xc-6mf7-h28h	Incorrect Authorization OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.	There are no reported fixed by versions.
VCID-fyj4-m2xs-p7hg Aliases: CVE-2023-25806 GHSA-c6wg-cm5x-rqvj	Observable Discrepancy OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.	There are no reported fixed by versions.
VCID-raza-j6bt-n3d8 Aliases: CVE-2022-41917 GHSA-w3rx-m34v-wrqx	OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.	2.4.0 Affected by 0 other vulnerabilities.
VCID-s1m1-46b8-4bd6 Aliases: CVE-2023-45807 GHSA-72q2-gwwf-6hrv	Improper Preservation of Permissions OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.	2.11.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2mte-5ys1-ekbc
Aliases:
CVE-2022-41918
GHSA-wmx7-x4jp-9jgg

Incorrect Authorization OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

2.4.0
Affected by 0 other vulnerabilities.

VCID-6gt7-yexx-g7hx
Aliases:
CVE-2023-23933
GHSA-47qw-jwpx-pp4c

Out-of-bounds Read OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

2.6.0
Affected by 0 other vulnerabilities.

VCID-bf8j-s11d-4kd8
Aliases:
CVE-2023-31141
GHSA-g8xc-6mf7-h28h

Incorrect Authorization OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.

There are no reported fixed by versions.

VCID-fyj4-m2xs-p7hg
Aliases:
CVE-2023-25806
GHSA-c6wg-cm5x-rqvj

Observable Discrepancy OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

There are no reported fixed by versions.

VCID-raza-j6bt-n3d8
Aliases:
CVE-2022-41917
GHSA-w3rx-m34v-wrqx

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.

2.4.0
Affected by 0 other vulnerabilities.

VCID-s1m1-46b8-4bd6
Aliases:
CVE-2023-45807
GHSA-72q2-gwwf-6hrv

Improper Preservation of Permissions OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.

2.11.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T17:13:14.191886+00:00	GitLab Importer	Affected by	VCID-raza-j6bt-n3d8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2022-41917.yml	38.6.0
2026-06-05T17:13:11.807473+00:00	GitLab Importer	Affected by	VCID-2mte-5ys1-ekbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2022-41918.yml	38.6.0
2026-06-02T04:46:06.522310+00:00	GitLab Importer	Affected by	VCID-s1m1-46b8-4bd6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2023-45807.yml	38.6.0
2026-06-02T04:44:45.138134+00:00	GitLab Importer	Affected by	VCID-bf8j-s11d-4kd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2023-31141.yml	38.6.0
2026-06-02T04:44:08.039612+00:00	GitLab Importer	Affected by	VCID-fyj4-m2xs-p7hg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2023-25806.yml	38.6.0
2026-06-02T04:43:56.233052+00:00	GitLab Importer	Affected by	VCID-6gt7-yexx-g7hx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/opensearch/CVE-2023-23933.yml	38.6.0