CVE-2024-43794
📋 TL;DR
OpenSearch Dashboards Security Plugin versions before 1.3.19 and 2.16.0 have an open redirect vulnerability in the login flow. Attackers can craft malicious URLs that redirect users to external sites after authentication, potentially enabling phishing attacks or credential theft. This affects all OpenSearch Dashboards deployments using the Security Plugin.
💻 Affected Systems
- OpenSearch Dashboards Security Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to malicious phishing sites after successful authentication, leading to credential theft, session hijacking, or malware installation.
Likely Case
Attackers use crafted links to redirect authenticated users to phishing pages, potentially harvesting credentials or session tokens.
If Mitigated
With proper network segmentation and user awareness, impact is limited to potential phishing attempts that users may recognize.
🎯 Exploit Status
Exploitation requires user interaction (clicking a crafted link) and authentication. The vulnerability is in the redirect logic after successful login.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.19 or 2.16.0
Vendor Advisory: https://github.com/opensearch-project/security-dashboards-plugin/security/advisories/GHSA-3fph-6cqp-5mfc
Restart Required: Yes
Instructions:
1. Update OpenSearch Dashboards to version 1.3.19 or 2.16.0. 2. Restart the OpenSearch Dashboards service. 3. Verify the Security Plugin version matches the patched version.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to OpenSearch Dashboards to trusted networks only
User Awareness Training
allTrain users to verify URLs before entering credentials and avoid clicking suspicious links
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to OpenSearch Dashboards
- Deploy web application firewall (WAF) rules to detect and block open redirect attempts
🔍 How to Verify
Check if Vulnerable:
Check the OpenSearch Dashboards Security Plugin version. If it's below 1.3.19 (for 1.x) or 2.16.0 (for 2.x), the system is vulnerable.Check Version:
curl -XGET 'http://localhost:5601/api/status' | grep -i versionVerify Fix Applied:
After patching, verify the Security Plugin version shows 1.3.19 or 2.16.0 in the OpenSearch Dashboards interface or via API.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in authentication logs
- Login attempts with suspicious nextUrl parameters
Network Indicators:
- HTTP 302 redirects to external domains after successful authentication
SIEM Query:
event.category:web AND event.action:redirect AND url.original:*nextUrl=* AND NOT url.original:*nextUrl=/dashboard*