CVE-2024-39900
MEDIUMOpenSearch Observability < 2.14 - Authorization Bypass via Private Tenant Resource Access
Title source: llmDescription
OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/opensearch-project/reporting/security/advisories/GHSA-xmvg-335g-x44q
Patch x_refsource_misc
https://github.com/opensearch-project/reporting/commit/2403014c57ee63268e83d919db3334b676a8c992
Product x_refsource_misc
https://opensearch.org/versions/opensearch-2-14-0.html
Scores
CVSS v3
5.4
EPSS
0.0031
EPSS Percentile
21.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
opensearch/observability
< 2.14
org.opensearch.plugin/opensearch-reports-scheduler
0 - 2.14.0.0Maven
Published
Jul 09, 2024
Tracked Since
Feb 18, 2026