Thanks for the clarification, I didn’t want to get into the whole fork situation as I know there are a lot of mixed feelings around it and wanted to focus purely on the security implications
To clarify I encoundered the plugin of ODFE and not opensearch, but it is a good note and important to check also on forks of open source projects such as opensearch to see if the same behavior occurs there and if it was also fixed or intended to be fixed in future.
As for the cat api, appreciate the comment. I will check into it and update accordingly not to confuse future readers
Thanks, Rotem
ODFE, or Open Distro For Elasticsearch (henceforth OpenDistro) is not a plugin for Elasticsearch. The plugins you see with the cat API are OpenDistro plugins, not Elasticsearch ones, though they are derivations of plugins which had been written for Elasticsearch initially.
OpenDistro is—at the very least—a bundled collection of patches pasted directly on top of the open source releases of Elasticsearch code (up to version 7.10.2) and released as a separate entity that could be deployed as a stand-alone product. Because of this, OpenDistro could even be considered a fork of Elasticsearch. Indeed, since Elastic changed the licensing of Elasticsearch and Kibana to use the SSPL—thereby blocking OpenDistro from using Elasticsearch code as it had before—AWS is replacing OpenDistro with "OpenSearch" — a full fork of the last release of the Elasticsearch code that was Apache 2.0 licensed (7.10.2), and will be changing the name of its AWS Elasticsearch service to AWS OpenSearch.