CVE-2022-35980: 
Java vulnerability analysis and mitigation

OpenSearch Security, a plugin for OpenSearch that provides encryption, authentication and authorization features, was found to contain an information disclosure vulnerability in versions 2.0.0.0 and 2.1.0.0. The vulnerability was discovered and disclosed on August 12, 2022, identified as CVE-2022-35980. The vulnerability affects OpenSearch clusters configured with advanced access control features including document level security (DLS), field level security (FLS), and field masking (GitHub Advisory).

The vulnerability occurs when requests to an OpenSearch cluster with advanced access control features are not properly filtered when the query's search pattern matches an aliased index. By default, OpenSearch Dashboards creates an alias to .kibana, which means filters with the index pattern of * to restrict access to documents or fields are not applied. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

This vulnerability allows attackers to access sensitive information in cases where customers have specifically implemented restrictions to protect that information. The issue specifically bypasses document level security (DLS), field level security (FLS), and field masking controls that are meant to restrict access to sensitive data (GitHub Advisory).

The vulnerability has been fixed in OpenSearch 2.2.0, which includes Security plugin version 2.2.0.0. There are no recommended workarounds for affected versions, making upgrading to version 2.2.0 or later the only solution (GitHub Advisory).