CVE-2024-39901 Vulnerability Details

  /     /     /  

CVE-2024-39901 Metadata Quick Info

CVE Published: 09/07/2024 | CVE Updated: 02/08/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: opensearch-project | Product: observability
Status : PUBLISHED

CVE-2024-39901 Description

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

Metrics

CVSS Version: 3.1 | Base Score: 4.2 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-639
CWE Name: CWE-639: Authorization Bypass Through User-Controlled Key
Source: opensearch-project

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: