Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

信息暴露

OpenSearch Project 信息泄露漏洞

OpenSearch Project是OpenSearch Project开源的一个社区驱动的、Apache 2.0许可的开放源代码搜索和分析套件。使其易于获取、搜索、可视化和分析数据。 OpenSearch Project 1.3.7之前版本和2.4.0之前的2.x版本存在信息泄露漏洞，该漏洞源于允许某些特制查询返回包含任意文件第一行文本的响应。

N/A

N/A