{"id":"CVE-2022-41918","summary":"Issue with fine-grained access control of indices backing data streams","details":"OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.","aliases":["GHSA-wmx7-x4jp-9jgg"],"modified":"2026-04-12T03:22:14.410625Z","published":"2022-11-15T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-612","CWE-863"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41918.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41918.json"},{"type":"ADVISORY","url":"https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41918"},{"type":"FIX","url":"https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensearch-project/security","events":[{"introduced":"0"},{"fixed":"aea96f2a966b566f1bffb36fbc005fb40e73be65"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.7"}]}},{"type":"GIT","repo":"https://github.com/opensearch-project/security","events":[{"introduced":"5e6457703a6609c556f357aafdb116f4a2f30c05"},{"fixed":"bca461296d1c54f49e4d139316c855f9ca37be26"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.4.0"}]}}],"versions":["1.0.0.0","1.1.0.0","1.3.0.0","1.3.1.0","1.3.2.0","1.3.3.0","1.3.4.0","1.3.5.0","1.3.6.0","v0.7.0.0","v0.7.0.1","v0.8.0.0","v0.9.0.0","v1.0.0.0","v1.0.0.0-beta1","v1.0.0.0-beta1-rc1","v1.0.0.0-beta1-rc2","v1.0.0.0-beta1-rc3","v1.0.0.0-rc1","v1.0.1.0-OS-rc1","v1.1.0.0","v1.10.0.0-rc1","v1.10.1.0","v1.10.1.0-rc1","v1.10.1.0-rc2","v1.11.0.0","v1.11.0.0-rc1","v1.12.0.0","v1.12.0.0-rc","v1.13.0.0","v1.13.0.0-rc1","v1.13.0.0-rc2","v1.13.0.0-rc3","v1.13.0.0-rc4","v1.13.1.0","v1.13.1.0-rc1","v1.13.1.0-rc2","v1.3.0.0","v1.5.0.0","v1.5.0.1","v1.6.0.0","v1.7.0.0","v1.8.0.0","v1.9.0.0","v1.9.0.0-rc1","v1.9.0.0-rc2","v1.9.0.1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T03:22:14Z","vanir_signatures":[{"signature_type":"Line","id":"CVE-2022-41918-0622182d","digest":{"line_hashes":["190802608251876723695708323815294798331","159406922189635889326075075414716807852","164487096438305919280300123055628806148","258208411350990867880503156928978156126","182745036320457048373697753478831981211","17165779382262712744817156828346306604","330447875107470999044063650182518584429","15026532455737383454346910345973196471","126453835876486614891207840059575025646","176032099326614279352436648928177379106","187664735698750655791313124692193036867","308083681216149547805348768138620704794","245688700287395083048807384280175191088","11715067545084007430906719122946934852","83266720936271841411945279822828016372","26454332986823529055480486263394149009","97254773761840406105600028925782585928","130023236597886479109613843791183799228","210807043238514916726357204964941549453","92319298434375625179872500794115071100","318310596345242875942157043850083316875"],"threshold":0.9},"deprecated":false,"target":{"file":"src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-14d12a58","digest":{"length":333,"function_hash":"69639218466026152453728481961233906034"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java","function":"testPutIndexTemplateByNonPrivilegedUser"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-29221d0d","digest":{"length":683,"function_hash":"292191050793919971982400736026026241825"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java","function":"testExactName"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-3126e37c","digest":{"length":2007,"function_hash":"42028553468816119098304692570194140072"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/DataStreamIntegrationTests.java","function":"testBackingIndicesOfDataStream"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Line","id":"CVE-2022-41918-4e6ed3c9","digest":{"line_hashes":["337821943607884718980452659685528701204","67191872127043099132258444719078617037","63006482482982091652990119475605508561","83331883392929994829512273928432570133","176118888984173788182812449208802022054","241648534402091179100818036210088933165","116340188457432394783552900946375185345","77013053618638369785840249788436408961","301350169197435810502204324930120037478","335601637235022838482248156221428411199","293460731607764669596222168145735287328","59553097003265650940303961354436638457","31857667226584150408061553680393776853","241648534402091179100818036210088933165","116340188457432394783552900946375185345","336217410529803106497308388795854054548","18881345243492272406900253402779917897","319102887999780372378638826515811820598","24180246899425561157268646521432359175","291888254206080354166150691576664889664","166231027250654263840814759471300605043","121780149104149545242255340641482989207","334273751201741764029112690256834324253","283658829666879120251365614861630876250","283426502094342689667712021711664278798","148187277847259279314034420529149718087","295969006678731434423048105450779667338","24363717504739476079761615660374335845","74037839276126673066563975321181321580","82181966604903415269491430497116992023","148876534904636559950672126720368763642","62494087033143423537386841888166257671","102460624254822870863044531768950552723","94734569692399912338025076943060097246","289299529954936096466336318947935218032","37617140684465608575215372628899118817","157840776341387863837567130103337397591","159709249847975097591092559366113646247","25633527858662141510583786564017553840","148187277847259279314034420529149718087","106382907464109697012837538732745198013","23024671739418634230097975022769456774","238297166626815656275027368843847093431","323799062011611067023954859620693380059","93483006094917618863886453929917042161","225653984646749616545553751711661899161","155469146650118624083371635112921719001","176048929374105487295123438466638738123","121917565465983165506608243880256882219","95014843800091961592270914521628273087","279468921564123468284645083004648545638","141766389755956915823986737878147858634","54624486682803109227916926808312146016"],"threshold":0.9},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-5c573b56","digest":{"length":654,"function_hash":"239744325834366404844052919760374117565"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java","function":"testExactNameWithNoMatches"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-6e060877","digest":{"length":730,"function_hash":"255065948523695992490388225525586125987"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java","function":"testMultipleConcreteIndices"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-7e7401a4","digest":{"length":1027,"function_hash":"294108489770333174010132037324844163732"},"deprecated":false,"target":{"file":"src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java","function":"getResolvedIndexPattern"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Line","id":"CVE-2022-41918-906430fe","digest":{"line_hashes":["304839939921860648025146931493383880770","114824905897582127923213642326210500463","279282111741171071780837385092493668260","230484571854701085785817296781336459921","163031644383687259557961007999565872328","210306569907450714725336597611909073798","322967534684329559786359980029194356725","99764264942043381494496359371697479573","266456712856741126297076607667905475792","213028920204091298750111556879529391686","83265420109879833198405307683372454834","67429226484931028311238673280342925629","91105338395687701043839099980540564837","6450162401299574315445497086149522729"],"threshold":0.9},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/DataStreamIntegrationTests.java"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-a5015401","digest":{"length":1193,"function_hash":"177015297970552032179796422297282209308"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java","function":"testMultipleConcreteIndicesWithOneAlias"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Line","id":"CVE-2022-41918-a89e203b","digest":{"line_hashes":["157639417100125556875140226556329778119","39332545010403953370335241303781971654","95895900298352061382906362055012717225","107195619093693570336330093161567756532","82797253965665218830239723304419389690","236978715830984851196280058505569856466"],"threshold":0.9},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/PitIntegrationTests.java"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-a9f4437d","digest":{"length":1514,"function_hash":"335887108310174375250011577907427146906"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/PitIntegrationTests.java","function":"testDataStreamWithPits"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Function","id":"CVE-2022-41918-cb02482a","digest":{"length":1352,"function_hash":"56268870803881870005230508140374584424"},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/securityconf/impl/v7/IndexPatternTests.java","function":"testMultipleConcreteAliasedAndUnresolved"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"},{"signature_type":"Line","id":"CVE-2022-41918-e5921c96","digest":{"line_hashes":["75923945005803513679238543808349686941","215197920071175680155699009676477820184","249951776961905760540647555739583814865","97768805283861829065334173221268237582","154707291322054563930136312590658826380"],"threshold":0.9},"deprecated":false,"target":{"file":"src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java"},"signature_version":"v1","source":"https://github.com/opensearch-project/security/commit/bca461296d1c54f49e4d139316c855f9ca37be26"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41918.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}