{"id":"CVE-2022-41917","summary":"Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch","details":"OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.","aliases":["GHSA-w3rx-m34v-wrqx"],"modified":"2026-04-12T03:22:13.789466Z","published":"2022-11-15T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41917.json","cwe_ids":["CWE-200"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41917.json"},{"type":"ADVISORY","url":"https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-w3rx-m34v-wrqx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41917"},{"type":"FIX","url":"https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensearch-project/opensearch","events":[{"introduced":"0"},{"fixed":"db18a0d5a08b669fb900c00d81462e221f4438ee"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.7"}]}},{"type":"GIT","repo":"https://github.com/opensearch-project/opensearch","events":[{"introduced":"bae3b4e4178c20ac24fece8e82099abe3b2630d0"},{"fixed":"744ca260b892d119be8164f48d92b8810bd7801c"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.4.0"}]}}],"versions":["1.0.0-alpha1","1.0.0-alpha2","1.0.0-beta1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41917.json","vanir_signatures":[{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"file":"server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java"},"id":"CVE-2022-41917-7e5837e2","digest":{"line_hashes":["17048627438651915533651276816066902179","149934693698988820616703394443513603029","146006305977508471690722198244677831683","240788330656112570864437071551249202163","152711017821107095246159710284433270316","31568332359611237168031862415414657238","270757614022594935714794753590482693846","147269456921227182556343515014686265985","28069109890100354480759383087192602283","169803860550469453098135583702200124325","304876052520787136705241555141933591828","26361391883713761824559006177780922007","34615098146099423752585691879625868545","138070543556261093825750031169359055538","39469342667864200491547007218788408392","50187936608899266810208887845122098627","59534714994198773360918658895498455238","23915349231978591387591152578268158566","280377130898672602482385272265613631449","67634621076812657446984530232990775724","177084852865742895149805802473831656081","278606514847167371652359529281480540325","209826223393783303436874919998024456803","133045506598400400252127350349703619132","122345375850081149632681595065651079699","72177723099378191855607625409385513863","33402974758347124635599450191903132369","207937607897238205511138022631175747841","34883721161956316783646418829305407740","194391426585217133077138667830773754965","194081300367898935646450443194943641754","288409596071384630216693843562070203379","216086512715070672518706067905168842212","309673774960644042388859631219576171583","159729888933527805760530388845727047285","325009052105012417984003912243220128637","314779181712407588552528523415963479862","274923833791052264272509837526384913643","8815297127135672680576973535293465689","132761030311568202745053924792387187089","202195023701641583966594578788921008128","61531972601589059403337303544233949482","102592365368395643746533626616208175397","212262579722479814407692495225684332863","39539486003013522049608937787611466393","246476676816137247473831962818237448026","335009558084391116747953582065464974864","123133674041330844459310121585741650810","10845464845800182800930478827899156756","82354483932027163043918231973686500309","100381715971144982694976537281485979895","155352436137415831665578477263618609601","95491293699046982585770086414228047956","188891531721186369487323952309948663828","279137084820016730480753291199418815614","164496307841070179657773006934556754404","125235467816935585620280476789153445936","106976968521014027950565027855516291338","294783748254981201410023940614038535312","197891360471463700242782738017267289629","215843620904314785241951087549239462918","283076657572558445909752483752179632622","204906379781621035441833925514356134887","14973599023740517374568784902304568022","310471899262468619281775099588120822972","116273437404207121054980488101993981544","251627273515457659877272627416849203930","173908992094598158569317543287135602761","83149265597370038969245635014808694140","193586799978581750804093513761513619606"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"function":"reconstructArrayXContent","file":"server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java"},"id":"CVE-2022-41917-96751c7d","digest":{"function_hash":"13364759679334999557378171629924440638","length":471}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"function":"createParser","file":"server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java"},"id":"CVE-2022-41917-b5d5e397","digest":{"function_hash":"48399475011060540466766896048124358509","length":247}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"file":"server/src/test/java/org/opensearch/index/mapper/GeoPointFieldMapperTests.java"},"id":"CVE-2022-41917-cd4c1c66","digest":{"line_hashes":["170494040449943166722294887993724282923","71503735865927709349329228653077700459","38097828152124527898574682978502692851","2324650910766934694111590988961238676","88112275390130018182485768905379614948","311019332360114647262887612165227593368","217375664822843649988019698342119348462","198806002937892200415775290128948927099"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"function":"testLatLonInArrayMoreThanThreeValues","file":"server/src/test/java/org/opensearch/index/mapper/GeoPointFieldMapperTests.java"},"id":"CVE-2022-41917-e2f6be2f","digest":{"function_hash":"248921983859889504221658662936103872006","length":417}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/opensearch/commit/744ca260b892d119be8164f48d92b8810bd7801c","target":{"function":"parse","file":"server/src/main/java/org/opensearch/index/mapper/AbstractPointGeometryFieldMapper.java"},"id":"CVE-2022-41917-ff70d01f","digest":{"function_hash":"40675771172524671681349395243778069239","length":998}}],"vanir_signatures_modified":"2026-04-12T03:22:13Z"}},{"ranges":[{"type":"GIT","repo":"https://github.com/opensearch-project/security","events":[{"introduced":"cd6df074a44b5ebc1c22940e6d2d149f162f475c"},{"fixed":"aea96f2a966b566f1bffb36fbc005fb40e73be65"},{"introduced":"5e6457703a6609c556f357aafdb116f4a2f30c05"},{"fixed":"bca461296d1c54f49e4d139316c855f9ca37be26"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.3.7"},{"introduced":"2.0.0"},{"fixed":"2.4.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41917.json","vanir_signatures":[{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"file":"src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"},"id":"CVE-2022-41917-0622182d","digest":{"line_hashes":["190802608251876723695708323815294798331","159406922189635889326075075414716807852","164487096438305919280300123055628806148","258208411350990867880503156928978156126","182745036320457048373697753478831981211","17165779382262712744817156828346306604","330447875107470999044063650182518584429","15026532455737383454346910345973196471","126453835876486614891207840059575025646","176032099326614279352436648928177379106","187664735698750655791313124692193036867","308083681216149547805348768138620704794","245688700287395083048807384280175191088","11715067545084007430906719122946934852","83266720936271841411945279822828016372","26454332986823529055480486263394149009","97254773761840406105600028925782585928","130023236597886479109613843791183799228","210807043238514916726357204964941549453","92319298434375625179872500794115071100","318310596345242875942157043850083316875"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testPutIndexTemplateByNonPrivilegedUser","file":"src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java"},"id":"CVE-2022-41917-14d12a58","digest":{"function_hash":"69639218466026152453728481961233906034","length":333}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testExactName","file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-29221d0d","digest":{"function_hash":"292191050793919971982400736026026241825","length":683}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testBackingIndicesOfDataStream","file":"src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"},"id":"CVE-2022-41917-3126e37c","digest":{"function_hash":"42028553468816119098304692570194140072","length":2007}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-4e6ed3c9","digest":{"line_hashes":["337821943607884718980452659685528701204","67191872127043099132258444719078617037","63006482482982091652990119475605508561","83331883392929994829512273928432570133","176118888984173788182812449208802022054","241648534402091179100818036210088933165","116340188457432394783552900946375185345","77013053618638369785840249788436408961","301350169197435810502204324930120037478","335601637235022838482248156221428411199","293460731607764669596222168145735287328","59553097003265650940303961354436638457","31857667226584150408061553680393776853","241648534402091179100818036210088933165","116340188457432394783552900946375185345","336217410529803106497308388795854054548","18881345243492272406900253402779917897","319102887999780372378638826515811820598","24180246899425561157268646521432359175","291888254206080354166150691576664889664","166231027250654263840814759471300605043","121780149104149545242255340641482989207","334273751201741764029112690256834324253","283658829666879120251365614861630876250","283426502094342689667712021711664278798","148187277847259279314034420529149718087","295969006678731434423048105450779667338","24363717504739476079761615660374335845","74037839276126673066563975321181321580","82181966604903415269491430497116992023","148876534904636559950672126720368763642","62494087033143423537386841888166257671","102460624254822870863044531768950552723","94734569692399912338025076943060097246","289299529954936096466336318947935218032","37617140684465608575215372628899118817","157840776341387863837567130103337397591","159709249847975097591092559366113646247","25633527858662141510583786564017553840","148187277847259279314034420529149718087","106382907464109697012837538732745198013","23024671739418634230097975022769456774","238297166626815656275027368843847093431","323799062011611067023954859620693380059","93483006094917618863886453929917042161","225653984646749616545553751711661899161","155469146650118624083371635112921719001","176048929374105487295123438466638738123","121917565465983165506608243880256882219","95014843800091961592270914521628273087","279468921564123468284645083004648545638","141766389755956915823986737878147858634","54624486682803109227916926808312146016"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testExactNameWithNoMatches","file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-5c573b56","digest":{"function_hash":"239744325834366404844052919760374117565","length":654}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testMultipleConcreteIndices","file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-6e060877","digest":{"function_hash":"255065948523695992490388225525586125987","length":730}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"getResolvedIndexPattern","file":"src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"},"id":"CVE-2022-41917-7e7401a4","digest":{"function_hash":"294108489770333174010132037324844163732","length":1027}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"file":"src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"},"id":"CVE-2022-41917-906430fe","digest":{"line_hashes":["304839939921860648025146931493383880770","114824905897582127923213642326210500463","279282111741171071780837385092493668260","230484571854701085785817296781336459921","163031644383687259557961007999565872328","210306569907450714725336597611909073798","322967534684329559786359980029194356725","99764264942043381494496359371697479573","266456712856741126297076607667905475792","213028920204091298750111556879529391686","83265420109879833198405307683372454834","67429226484931028311238673280342925629","91105338395687701043839099980540564837","6450162401299574315445497086149522729"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testMultipleConcreteIndicesWithOneAlias","file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-a5015401","digest":{"function_hash":"177015297970552032179796422297282209308","length":1193}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"file":"src/test/java/org/opensearch/security/PitIntegrationTests.java"},"id":"CVE-2022-41917-a89e203b","digest":{"line_hashes":["157639417100125556875140226556329778119","39332545010403953370335241303781971654","95895900298352061382906362055012717225","107195619093693570336330093161567756532","82797253965665218830239723304419389690","236978715830984851196280058505569856466"],"threshold":0.9}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testDataStreamWithPits","file":"src/test/java/org/opensearch/security/PitIntegrationTests.java"},"id":"CVE-2022-41917-a9f4437d","digest":{"function_hash":"335887108310174375250011577907427146906","length":1514}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"function":"testMultipleConcreteAliasedAndUnresolved","file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"id":"CVE-2022-41917-cb02482a","digest":{"function_hash":"56268870803881870005230508140374584424","length":1352}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26","target":{"file":"src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java"},"id":"CVE-2022-41917-e5921c96","digest":{"line_hashes":["75923945005803513679238543808349686941","215197920071175680155699009676477820184","249951776961905760540647555739583814865","97768805283861829065334173221268237582","154707291322054563930136312590658826380"],"threshold":0.9}}],"vanir_signatures_modified":"2026-04-12T03:22:13Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}