[BUG]access Script Console Jenkins lead to do rce migrations.ci.opensearch.org

[shadihh9]

What is the bug?

A clear and concise description of the bug.
I found bug access Script Console Jenkins lead to do rce migrations.ci.opensearch.org

How can one reproduce the bug?

Steps to reproduce the behavior.
1- go to https://3.225.65.64/_script and see access Script
Console Jenkins lead to do rce migrations.ci.opensearch.org

and see

What is the expected behavior?

A clear and concise description of what you expected to happen.
can attacker access Script Console Jenkins lead to do rce migrations.ci.opensearch.org

What is your host/environment?

Operating system, version.

Do you have any screenshots?

If applicable, add screenshots to help explain your problem.

Do you have any additional context?

Add any other context about the problem.

[dblock]

Thanks for reporting this, please avoid reporting security-related issues on GitHub, see https://github.com/opensearch-project/.github/blob/main/SECURITY.md for how to report then. Someone will take a look.

[kumargu]

cc @cwperks (for covering in triage)

@shadihh9 I don't understand the the reference to migrations.ci.opensearch.org in the screenshot. Could you please follow the guidelines shared earlier; adding details around "What is the expected behavior?".

[sumobrian]

Hi @shadihh9 ,

Thank you for bringing this to our attention but I cannot reproduce any RCE from an anonymous user as I believe you are implying from the screenshot. Explicit steps may be helpful to determine if there is a vulnerability.

To clarify, while the _script endpoint is accessible, only authenticated users with admin privileges should be able to execute scripts. I have verified that this endpoint enforces both authentication and admin-level authorization for execution. Additionally, I have reviewed the list of admin users and confirmed that only current openSearch-migration maintainers possess the necessary permissions to execute scripts.

If you have evidence suggesting a security concern or unauthorized access, please provide additional details or steps to reproduce the issue for further investigation.

[sumobrian]

Closing this issue as unreproducible. @shadihh9, if you have evidence that this is still a problem, please provide detailed steps to reproduce. Thank you.

[peternied]

@shadihh9 Thanks for checking on the security of our systems, much appreciated. I wanted to make sure this wasn't lost - before posting any updates onto this issue please follow https://github.com/opensearch-project/.github/blob/main/SECURITY.md

If you discover a potential security issue in this project we ask that you notify the OpenSearch Security Team via email to security@opensearch.org. Please do not create/comment on a public GitHub issue.