CVE-2025-62371
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | opensearch_data_prepper | to 2.12.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in OpenSearch Data Prepper versions prior to 2.12.2, where the OpenSearch sink and source plugins trust all SSL certificates by default if no certificate path is provided. This means SSL certificate validation is bypassed, allowing attackers to potentially intercept and modify data in transit through man-in-the-middle attacks.
How can this vulnerability impact me? :
The vulnerability can allow attackers to perform man-in-the-middle attacks by intercepting and modifying data transmitted between Data Prepper and OpenSearch clusters. This compromises the confidentiality and integrity of the data being collected and sent, potentially leading to data breaches or corrupted observability data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenSearch Data Prepper to version 2.12.2 or later. Alternatively, as a workaround, explicitly configure the OpenSearch sink or source plugins with the cert parameter pointing to the cluster's CA certificate to ensure SSL certificate validation is enforced.