Unrated severityNVD Advisory· Published Nov 11, 2022· Updated Apr 23, 2025

OpenSearch Notifications is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2022-41906

Description

OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.

Affected products

Opensearch Project/Notificationsv5
Range: >= 2.0.0, < 2.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/opensearch-project/notifications/pull/496mitrex_refsource_MISC
github.com/opensearch-project/notifications/pull/507mitrex_refsource_MISC
github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000