[BUG] <title>security vulnerability cve-2024-28752

[bhupendra-mskhatri]

Describe the bug

A client of ours have reported vulnerability cve-2024-28752 in index/plugins/opensearch-security/cxf-core-4.0.3.jar.
Opensearch 2.13.0
Though we would be upgrading to opensearch 2.15.0, which has the fix, it would be helpful if someone could explain whether the vulnerability was exploitable in Opensearch 2.13.0.

Related component

Plugins

To Reproduce

1. Go to 'index/plugins/opensearch-security/'
2. You will find cxf-core-4.0.3.jar
3. As per https://nvd.nist.gov/vuln/detail/CVE-2024-28752 the cxf-core-4.0.3 version is vulnerable

Expected behavior

Would like to understand if the vulnerability is exploitable in Opensearch 2.13.0?

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: windows

Additional context
Add any other context about the problem here.

[cwperks]

Hi @bhupendra-mskhatri, GHSA-qmgx-j96g-4428 does not impact the security plugin.

1. The CVE is associated with https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-databinding-aegis and the security repo does not have a dependency on this jar
2. In 2.13, the security plugin does not use the CXF dependency even though it is included in the zip. Since CXF is not used, it has since been removed

Closing this issue.