GHSA-rrmm-wq7q-h4v5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrmm-wq7q-h4v5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-rrmm-wq7q-h4v5/GHSA-rrmm-wq7q-h4v5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rrmm-wq7q-h4v5
- Published
- 2025-08-01T18:15:00Z
- Modified
- 2025-08-01T19:42:22.742247Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape
- Details
-
Impact
OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types
ip,geo_point,geo_shape,xy_point,xy_shape. While the content of these fields is properly redacted in the_sourcedocument returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries.Additionally, the content of fields of type
geo_point,geo_shape,xy_point,xy_shapeis returned in an unredacted form if requested via thefieldsoption of the search API.Patches
The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3.
Workarounds
If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-08-01T18:15:00Z", "nvd_published_at": null, "cwe_ids": [ "CWE-200" ] }- References
Affected packages
Maven / org.opensearch.plugin:opensearch-security
Package
- Name
- org.opensearch.plugin:opensearch-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opensearch.plugin/opensearch-security