Advisories for Maven/Org.opensearch/Opensearch package

Impact A flaw was discovered in OpenSearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. The issue was identified by Elastic Engineering and corresponds to security advisory ESA-2023-14 (CVE-2023-31419). Mitigation Versions 1.3.14 and 2.11.1 contain a fix for this issue. For more information If you have any questions or comments about this advisory, please contact AWS/Amazon …

Advisory title: Issue with whitespace in JWT roles Affected versions: OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 Patched versions: OpenSearch 1.3.8 and 2.5.0 Impact: OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles …

Advisory title: Field-level security issue with .keyword fields Affected versions: OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 Patched versions: OpenSearch 1.3.8 and 2.5.0 Impact: There is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes …