Headline
GHSA-rrmm-wq7q-h4v5: OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape
Impact
OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types ip, geo_point, geo_shape, xy_point, xy_shape. While the content of these fields is properly redacted in the _source document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries.
Additionally, the content of fields of type geo_point, geo_shape, xy_point, xy_shape is returned in an unredacted form if requested via the fields option of the search API.
Patches
The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3.
Workarounds
If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.
Impact
OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types ip, geo_point, geo_shape, xy_point, xy_shape. While the content of these fields is properly redacted in the _source document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries.
Additionally, the content of fields of type geo_point, geo_shape, xy_point, xy_shape is returned in an unredacted form if requested via the fields option of the search API.
Patches
The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3.
Workarounds
If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.
References
- GHSA-rrmm-wq7q-h4v5