CVE-2022-35980

Description

### Impact Requests to an OpenSearch cluster configured with advanced access control features ([document level security (DLS)](https://opensearch.org/docs/latest/security-plugin/access-control/document-level-security/), [field level security (FLS)](https://opensearch.org/docs/latest/security-plugin/access-control/field-level-security/), and/or [field masking](https://opensearch.org/docs/latest/security-plugin/access-control/field-masking/)) will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. ### Patches OpenSearch 2.2.0+ contains the fix for this issue. OpenSearch Security Plugin 2.2.0.0 is compatible with OpenSearch 2.2.0. ### Workarounds There is no recommended work around. ### References See pull request #1999 for additional details. ### For more information If you have any questions or comments about this advisory we ask that contact AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.

How to fix CVE-2022-35980

To remediate CVE-2022-35980, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.0.0 or later

Is CVE-2022-35980 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.0.0.0, < 2.2.0.0