{"id":"CVE-2023-45807","summary":"OpenSearch Issue with tenant read-only permissions","details":"OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.","aliases":["GHSA-72q2-gwwf-6hrv"],"modified":"2026-02-13T02:38:50.948381Z","published":"2023-10-16T21:33:23.124Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-281"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45807.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45807.json"},{"type":"ADVISORY","url":"https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45807"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensearch-project/anomaly-detection","events":[{"introduced":"ce81e915882980d819780c83d8f767ca295fbbcb"},{"fixed":"35d476461feba246a2eea705e75d99553b495d0c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45807.json","vanir_signatures":[{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/task/ADTaskManagerTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-03f3b637","digest":{"length":2331,"function_hash":"288181310925633561033735279958826060735"}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/RCFResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-19238a13","digest":{"threshold":0.9,"line_hashes":["333996678324015675617161920420449571461","153555612291262169352905220100440524026","52062222200532340097109985883072310725","217351852558141745404403315993222094578","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","187847704125532906128771856836968743331","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","187847704125532906128771856836968743331","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","281060547353243176855799939191729996689","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","187847704125532906128771856836968743331"]}},{"target":{"function":"testExecutionException","file":"src/test/java/org/opensearch/ad/transport/ThresholdResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-27cf1585","digest":{"length":682,"function_hash":"309963227529355495416654166019605423252"}},{"target":{"function":"testNormal","file":"src/test/java/org/opensearch/ad/transport/RCFResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-2b45a041","digest":{"length":1219,"function_hash":"17997600880129736856127707455951335468"}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/SearchAnomalyResultActionTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-3591ceea","digest":{"threshold":0.9,"line_hashes":["161581255517254264073020651302371514418","187589679258909565612086379596573586023","105472867667885914664125726658343170378","92712543452781819372490871867923346076","75034954358049522881520948793014215209","113087744324064596931360026372192605696","167997536215888607738961167327497136492","205986284713300330604193009832362290836"]}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/RCFPollingTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-3bd41dfe","digest":{"threshold":0.9,"line_hashes":["104605924657674808679136739029096162531","180845291328447294658500416547736859973","112697516184517051373445502897368918510","279808369467878619285592421526600053407","75034954358049522881520948793014215209","113087744324064596931360026372192605696","262616950629359010955840131326966664699","196077767561096403145694433605890764640"]}},{"target":{"function":"FakeNode","file":"src/test/java/test/org/opensearch/ad/util/FakeNode.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-441232cc","digest":{"length":1859,"function_hash":"10553152627369675182477754429505855621"}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/GetAnomalyDetectorTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-51a96b31","digest":{"threshold":0.9,"line_hashes":["265233373700197892963761376907474942457","186701399694650115019653487490356721670","65399504259015363303705679132483859194","127161880035784289614159593233038320930","75034954358049522881520948793014215209","113087744324064596931360026372192605696","337523850815275435729026510420840599449","23845421331237174201629539667726356478"]}},{"target":{"file":"src/test/java/org/opensearch/ad/task/ADTaskManagerTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-5ea8b200","digest":{"threshold":0.9,"line_hashes":["321256979768153549597873954857962188487","145462734876194645811388456582274691038","180128804504834460673029955392939687558","152846892935217957499507813516417304166","46933127910732727345639156376620224185","322409150013087227568052281620816468753","277174549726087498191327557568103953323","178539414147780001284749286697843486912","183330256464331962223954539801848542497"]}},{"target":{"function":"testCircuitBreaker","file":"src/test/java/org/opensearch/ad/transport/RCFResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-75f3a520","digest":{"length":1040,"function_hash":"235594296241484171672137549389732608113"}},{"target":{"function":"testNormal","file":"src/test/java/org/opensearch/ad/transport/ThresholdResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-76a98810","digest":{"length":863,"function_hash":"155669370206510552391194362872974245079"}},{"target":{"file":"src/test/java/test/org/opensearch/ad/util/FakeNode.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-86abb44d","digest":{"threshold":0.9,"line_hashes":["8095145409243409910600206247964196784","293136690647673174613454669017928537917","207685240341991285098554737002679172554","116705696446189491390865277006182336647","211230078215868241697465647538112984175","336153553747093110180895093176266924080","331968939237190373509898045018965229579","225030822699774928068590137426863845347","59505084763300106795229147105619980322","332694618164787171963420654240810518141","76377552482810414379033017201823976662","184551205936273461718776063994920592136"]}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/DeleteAnomalyDetectorTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-937025f7","digest":{"threshold":0.9,"line_hashes":["285799979302831289371917184607378710482","335235499464860902148926167207784414546","10781989488246072038525752312641807146","17516790897966618228654301307818775926","75034954358049522881520948793014215209","113087744324064596931360026372192605696","167997536215888607738961167327497136492","100623987748559531335444920032242084570"]}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/EntityProfileTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-94e52afa","digest":{"threshold":0.9,"line_hashes":["104605924657674808679136739029096162531","180845291328447294658500416547736859973","112697516184517051373445502897368918510","279808369467878619285592421526600053407","75034954358049522881520948793014215209","113087744324064596931360026372192605696","267824471053211873835622987775370150276","312792966421883531572934331283159087494"]}},{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/transport/GetAnomalyDetectorTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-99174d6c","digest":{"length":1114,"function_hash":"253072627266938566002856770792108463871"}},{"target":{"file":"src/test/java/org/opensearch/ad/transport/ThresholdResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Line","id":"CVE-2023-45807-a42787de","digest":{"threshold":0.9,"line_hashes":["333996678324015675617161920420449571461","153555612291262169352905220100440524026","52062222200532340097109985883072310725","217351852558141745404403315993222094578","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","55710918247161318568209429468420467757","75034954358049522881520948793014215209","113087744324064596931360026372192605696","179795208446852643417699349056571582328","55710918247161318568209429468420467757"]}},{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/transport/RCFPollingTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-a7b01b83","digest":{"length":2165,"function_hash":"244814503058125523027836422606397515317"}},{"target":{"function":"testCorruptModel","file":"src/test/java/org/opensearch/ad/transport/RCFResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-d9d4919c","digest":{"length":1180,"function_hash":"131011901112313846516074071855604413771"}},{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/transport/DeleteAnomalyDetectorTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-e9afbba4","digest":{"length":1202,"function_hash":"22636361709864260014401017012580671488"}},{"target":{"function":"testExecutionException","file":"src/test/java/org/opensearch/ad/transport/RCFResultTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-f89463d2","digest":{"length":829,"function_hash":"74966277839245807399995597971904164434"}},{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/transport/SearchAnomalyResultActionTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-fecb15f7","digest":{"length":1192,"function_hash":"333361801100409473193512450750583565987"}},{"target":{"function":"setUp","file":"src/test/java/org/opensearch/ad/transport/EntityProfileTests.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/anomaly-detection/commit/35d476461feba246a2eea705e75d99553b495d0c","signature_type":"Function","id":"CVE-2023-45807-ff55b35f","digest":{"length":2961,"function_hash":"228459691868388980464096045317788908525"}}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/opensearch-project/security","events":[{"introduced":"0"},{"fixed":"8924b34f9132297bfbd49fe447f2338b13a95108"},{"introduced":"5e6457703a6609c556f357aafdb116f4a2f30c05"},{"fixed":"bc03bd4746e3b1e23dec8d615d70e1d841cb6dc1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45807.json","vanir_signatures":[{"target":{"file":"src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/security/commit/bc03bd4746e3b1e23dec8d615d70e1d841cb6dc1","signature_type":"Line","id":"CVE-2023-45807-16f40582","digest":{"threshold":0.9,"line_hashes":["196722047004908126995486175386035642591","12927933987846580167839279080665571247","319355490354213550454750291265459417140","9465131887050194559200850585175892498"]}},{"target":{"function":"shouldImpersonateUser_negativeJean","file":"src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java"},"signature_version":"v1","deprecated":false,"source":"https://github.com/opensearch-project/security/commit/bc03bd4746e3b1e23dec8d615d70e1d841cb6dc1","signature_type":"Function","id":"CVE-2023-45807-261e08b0","digest":{"length":458,"function_hash":"88514984412699937588195388764958323995"}}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}]}