5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39900

GHSA ID

GHSA-xmvg-335g-x44q

EPSS Score

0.30576%

CWE

CWE-639

Published

7/18/2024

Updated

8/7/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39900

CVE-2024-39900: The OpenSearch reporting plugin improperly controls tenancy access to reporting resources

Summary

An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed.

Impact

The lack of proper access control validation for private tenant resources in the OpenSearch observability and reporting plugins can lead to unintended data access. If an authorized user with observability or reporting roles is aware of another user's private tenant resource ID, such as a notebook, they can potentially read, modify, or take ownership of that resource, despite not being the original author, thus impacting the confidentiality and integrity of private tenant resources. The impact is confined to private tenant resources, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance, potentially violating the intended separation of access. This issue does not alter the scope of access but highlights a flaw in the existing access control mechanisms.

Impacted versions <= 2.13

Patches

The patches are included in OpenSearch 2.14

Workarounds

None

References

OpenSearch 2.14 is available for download at https://opensearch.org/versions/opensearch-2-14-0.html

The latest version of OpenSearch is available for download at https://opensearch.org/downloads.html

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39900

CVE-2024-39900:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39900

GHSA ID

GHSA-xmvg-335g-x44q

EPSS Score

0.30576%

CWE

CWE-639

Published

7/18/2024

Updated

8/7/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opensearch.plugin:opensearch-reports-scheduler	maven	< 2.14.0.0	2.14.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing user identity validation in private tenant access checks. The commit diff shows a critical addition: 'if (isUserPrivateTenant(user)) { return access.contains("$USER_TAG${user.name}") }'. This indicates the original code (pre-2.14) lacked this user-specific check, allowing any tenant member with RBAC privileges to access resources by ID without ownership validation. The UserAccessManager.kt modification directly addresses the CWE-639 scenario where user-controlled resource IDs could bypass authorization when tenant checks alone were insufficient.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39900: The OpenSearch reporting plugin improperly controls tenancy access to reporting resources

Summary

Impact

Patches

Workarounds

References

CVE-2024-39900:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2024-39900: The OpenSearch reporting plugin improperly controls tenancy access to reporting resources

Summary

Impact

Patches

Workarounds

References

5.4

5.4

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI