Hello,
Thank you for your message about the CVEs reported in OpenSearch/OpenSearch Dashboards. After a thorough review we have determined that the latest version (2.5.0) is not impacted by the following CVEs:
CVE-2020-36604,
CVE-2022-46364,
CVE-2022-46363,
CVE-2022-41881
In addition, the following CVEs will be addressed by including updated versions of the relevant libraries and any necessary fixes in the upcoming 2.6.0 release, with a tentative target release date of 2/28:
CVE-2022-46175,
CVE-2017-20165,
CVE-2022-37603,
CVE-2022-37599
Thanks,
Dave.