CVE-2025-62371 (CNNVD-202510-2097)

HIGH
中文标题:
OpenSearch Data Prepper 信任管理问题漏洞
英文标题:
OpenSearch Data Prepper plugins trusts all SSL certificates by default
CVSS分数: 7.4
发布时间: 2025-10-15 17:25:43
漏洞类型: 信任管理问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

OpenSearch Data Prepper是OpenSearch开源的一个 OpenSearch 项目的组件 OpenSearch Data Prepper 2.12.2之前版本存在信任管理问题漏洞,该漏洞源于OpenSearch sink和source插件默认信任所有SSL证书,可能导致中间人攻击。

英文描述:

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.

CWE类型:
CWE-295
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
opensearch-project data-prepper < 2.12.2 - - cpe:2.3:a:opensearch-project:data-prepper:<_2.12.2:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4 x_refsource_CONFIRM
cve.org
访问
https://github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99 x_refsource_MISC
cve.org
访问
https://github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599 x_refsource_MISC
cve.org
访问
https://github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
HIGH
7.4
CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
机密性
HIGH
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2025-10-15 17:25:43
修改时间:
2025-10-15 18:13:42
创建时间:
2025-11-11 15:40:48
更新时间:
2025-11-11 16:00:17
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-62371 2025-11-11 15:23:33 2025-11-11 07:40:48
NVD nvd_CVE-2025-62371 2025-11-11 15:01:06 2025-11-11 07:48:35
CNNVD cnnvd_CNNVD-202510-2097 2025-11-11 15:12:59 2025-11-11 08:00:17
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 16:00:17
vulnerability_type: 未提取 → 信任管理问题; cnnvd_id: 未提取 → CNNVD-202510-2097; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 信任管理问题
  • cnnvd_id: 未提取 -> CNNVD-202510-2097
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:48:35
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']