CVE-2024-39901
low-risk
Published 2024-07-09
OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
Do I need to act?
-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Observability
Affected Vendors
References (6)
Third Party Advisory
https://github.com/opensearch-project/observability/security/advisories/GHSA-77v...
Third Party Advisory
https://github.com/opensearch-project/observability/security/advisories/GHSA-77v...
20
/ 100
low-risk
Severity
14/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal