Headline
CVE-2022-41906: Disable following redirects for webhooks by qreshi · Pull Request #507 · opensearch-project/notifications
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin’s intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.
Signed-off-by: Mohammad Qureshi [email protected]
Description
Disabling redirect handling for the HttpClient used when sending Notifications.
Issues Resolved
[List any issues this PR will resolve]
Check List
- Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.