VYPR
Moderate severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025

Time discrepancy in authentication responses in OpenSearch

CVE-2023-25806

Description

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.opensearch.plugin:opensearch-securityMaven
< 1.3.91.3.9
org.opensearch.plugin:opensearch-securityMaven
>= 2.0.0, < 2.6.02.6.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.