[GHSA-mw3v-mmfw-3x2g] OpenSearch is vulnerable to DoS via complex query_string inputs#6488
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the security advisory GHSA-mw3v-mmfw-3x2g to correct the affected version ranges for an OpenSearch DoS vulnerability. The update clarifies that the vulnerability affects versions 3.0.0 to 3.3.0 (not from version 0), and adds a second affected product range covering versions 0 to 2.19.4.
Key changes:
- Corrected the version range for the first affected product to start from 3.0.0 instead of 0
- Added a second affected product entry covering the 2.x version range with fix in 2.19.4
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "2.19.4" |
There was a problem hiding this comment.
The fixed version '2.19.4' appears inconsistent with the PR description, which states the fix is included in version 2.9.14. The description mentions 'This is included in 2.9.14' but the JSON specifies 2.19.4 as the fixed version. Please verify which version number is correct.
| "fixed": "2.19.4" | |
| "fixed": "2.9.14" |
There was a problem hiding this comment.
I made a typo in the PR description, it is indeed meant to be 2.19.4.
github-actions
bot
changed the base branch from
main
to
RafSobol/advisory-improvement-6488
advisory-database
bot
merged commit 7e809c5
into
RafSobol/advisory-improvement-6488
|
Hi @RafSobol! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
This vulnerability is resolved by not only 3.3.0, but also 2.19.4.
PR that fixed it in 3.3.x: opensearch-project/OpenSearch#19491
This is included in 2.19.4: https://github.com/opensearch-project/OpenSearch/releases/tag/2.19.4