CVE-2024-39900
Published: 09 July 2024
Summary
CVE-2024-39900 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Opensearch Observability. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2451
Vulnerability details
OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the…
more
resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-39900 is an improper authorization flaw allowing low-privileged users (with observability/reporting roles) to read, modify, or take ownership of private tenant resources like notebooks if the resource ID is known, enabling exploitation of remote services, collection of data from databases/information repositories, and manipulation of stored data.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.