GHSA-3xgr-h5hq-7299
MEDIUMGeoIP processor disables SSL certificate validation when downloading databases
Blast Radius
org.opensearch.dataprepper.plugins:geoip-processorReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:
- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Use local GeoIP database files instead of downloading from HTTP URLs
- Ensure database downloads occur only over trusted networks
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.opensearch.dataprepper.plugins:geoip-processor | ≥ 2.7.0&&< 2.12.2 | 2.12.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.opensearch.dataprepper.plugins:geoip-processor. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.opensearch.dataprepper.plugins:geoip-processor to 2.12.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3xgr-h5hq-7299 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3xgr-h5hq-7299 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3xgr-h5hq-7299. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3xgr-h5hq-7299 in your dependencies?
O3 detects GHSA-3xgr-h5hq-7299 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.