Security vulnerability in open search v 2.15

Security
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearchproject/opensearch:2.15.0

Describe the issue:
The PRISMA scan for the latest version of Open Search has resulted in issues. (1-high and 12 medium).
For e.g.
CVE-2024-32007 | high | 7.50 | org.apache.cxf_cxf-core | 4.0.4 | fixed in 4.0.5, 3.6.4, 3.5.9 | 4 days | < 1 hour | An improper input validation of theu00a0p2c |
| | | | | | 2 days ago | | | parameter in the Apache CXF JOSE code before |
| | | | | | | | | 4.0.5, 3.6.4 and 3.5.9u00a0allows an attacker to |
| | | | | | | | | perform a de…

Configuration:
opensearchproject/opensearch:2.15.0

Relevant Logs or Screenshots:

image
image808×669 16.4 KB

1 Like
2

Hi @Rakesh1,

Please create an issue in GitHub for OpenSearch Security:

3

Looks to be resolved in OpenSearch 2.16.0, as the Apache CXF libraries have been removed with: Remove unused dependancy Apache CXF by cwperks · Pull Request #4580 · opensearch-project/security · GitHub :slight_smile:

2 Likes
4

When is 2.16 planned for release?

5

hello @asatsi - the project is currently tracking to tomorrow as the latest possible release date: