CVE-2023-31141

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-31141

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31141.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-31141

Aliases

GHSA-g8xc-6mf7-h28h

Downstream

UBUNTU-CVE-2023-31141

Published

2023-05-08T20:33:58.601Z

Modified

2025-12-09T12:03:45.560300Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

OpenSearch issue with fine-grained access control during extremely rare race conditions

Details

OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/31xxx/CVE-2023-31141.json"
}

References

Affected packages

Git

github.com/opensearch-project/anomaly-detection

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/anomaly-detection
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ecb2f8c157edf73ef655fc5c3f6791cc012db992

Affected versions

Other

(None)

1.*

1.0.0.0-beta1

1.0.0.0-rc1

1.3.0.0

1.3.1.0

1.3.2.0

1.3.3.0

1.3.4.0

1.3.5.0

1.3.6.0

1.3.7.0

1.3.8.0

1.3.9.0

v1.*

v1.10.0.0

v1.10.1.0

v1.11.0.0

v1.12.0.0

v1.13.0.0

v1.2.1-alpha

v1.7.0.0

v1.8.0.0

v1.9.0.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31141.json"

github.com/opensearch-project/opensearch

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/opensearch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b2150b9f6f6c8a15059ef415d3e24bdedd3e253c

Affected versions

1.*

1.0.0-alpha1

1.0.0-alpha2

1.0.0-beta1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31141.json"

github.com/opensearch-project/security

Affected ranges

Type: GIT
Repo: https://github.com/opensearch-project/security
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87c8e468f4c47bea0a140b52e39197aef4ff45ba

Affected versions

1.*

1.0.0.0

1.1.0.0

1.3.0.0

1.3.1.0

1.3.2.0

1.3.3.0

1.3.4.0

1.3.5.0

1.3.6.0

1.3.7.0

1.3.8.0

1.3.9.0

v0.*

v0.7.0.0

v0.7.0.1

v0.8.0.0

v0.9.0.0

v1.*

v1.0.0.0

v1.0.0.0-beta1

v1.0.0.0-beta1-rc1

v1.0.0.0-beta1-rc2

v1.0.0.0-beta1-rc3

v1.0.0.0-rc1

v1.0.1.0-OS-rc1

v1.1.0.0

v1.10.0.0-rc1

v1.10.1.0

v1.10.1.0-rc1

v1.10.1.0-rc2

v1.11.0.0

v1.11.0.0-rc1

v1.12.0.0

v1.12.0.0-rc

v1.13.0.0

v1.13.0.0-rc1

v1.13.0.0-rc2

v1.13.0.0-rc3

v1.13.0.0-rc4

v1.13.1.0

v1.13.1.0-rc1

v1.13.1.0-rc2

v1.3.0.0

v1.4.0.0

v1.5.0.0

v1.5.0.1

v1.6.0.0

v1.7.0.0

v1.8.0.0

v1.9.0.0

v1.9.0.0-rc1

v1.9.0.0-rc2

v1.9.0.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31141.json"