{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.3.19"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f779544a94c26f4efff1932a0d2d3ce744a455b8"
            }
          ],
          "repo": "https://github.com/opensearch-project/security-dashboards-plugin",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "2.0.0"
              },
              {
                "fixed": "2.16.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "44ff5875597ea263895778161a9b6a8ab571d919"
            },
            {
              "fixed": "dd6b6f695bcbb2aec7b790386d76ef76ddfefd97"
            }
          ],
          "repo": "https://github.com/opensearch-project/security-dashboards-plugin",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-3fph-6cqp-5mfc"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-601"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43794.json"
  },
  "details": "OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue.",
  "id": "CVE-2024-43794",
  "modified": "2026-04-01T23:09:03.995266694Z",
  "published": "2024-08-23T16:15:58.428Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43794.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/opensearch-project/security-dashboards-plugin/security/advisories/GHSA-3fph-6cqp-5mfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43794"
    },
    {
      "type": "FIX",
      "url": "https://github.com/opensearch-project/security-dashboards-plugin/commit/fc4f6a27c0c80881be9e8ed6b9259a25c3fa0e13"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch Dashboards Security Plugin improper validation of nextUrl can lead to external redirect"
}