ALT-PU-2025-9506-2
Package opensearch updated to version 3.1.0-alt3 for branch p11 in task 390473.
Closed vulnerabilities
BDU:2024-06239
Уязвимость конфигурации server.maxHeadersCount() клиент-серверной библиотеки ws программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-09420
Уязвимость программного пакета OpenSearch, связанная с перенаправлением URL на ненадежный сайт, позволяющая нарушителю перенаправить пользователя на вредоносный сайт
BDU:2024-09427
Уязвимость библиотеки braces, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-05017
Уязвимость механизма PSL validation клиентского модуля Apache HttpClient средства Apache HttpComponents, позволяющая нарушителю осуществить CSRF-атаку
BDU:2025-08195
Уязвимость программного пакета OpenSearch, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2024-37890
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
- https://github.com/websockets/ws/issues/2230
- https://github.com/websockets/ws/pull/2231
- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
- https://nodejs.org/api/http.html#servermaxheaderscount
- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
- https://github.com/websockets/ws/issues/2230
- https://github.com/websockets/ws/pull/2231
- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
- https://nodejs.org/api/http.html#servermaxheaderscount
Modified: 2025-08-04
CVE-2024-4068
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
- https://github.com/micromatch/braces/issues/35
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
- https://github.com/micromatch/braces/issues/35
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
Modified: 2024-08-23
CVE-2024-43794
OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue.
CVE-2024-54160
dashboards-reporting (aka Dashboards Reports) before 2.19.0.0, as shipped in OpenSearch before 2.19, allows XSS because Markdown is not sanitized when previewing a header or footer.
- https://github.com/Jflye/CVE-2024-54160--Opensearch-HTML-Injection
- https://github.com/opensearch-project/dashboards-reporting/compare/2.18.0.0...2.19.0.0
- https://github.com/opensearch-project/dashboards-reporting/pull/476
- https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.19.0.md
- https://opensearch.org/releases.html
Modified: 2025-07-16
CVE-2025-27820
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release