cve advisory

floragunn GmbH is the official CVE numbering authority for Search Guard. Any security related issue is published here.

About Search Guard Security Advisories
An Search Guard Security Advisory (“SGSA”) is a notice from Search Guard/floragunn GmbH to its users of security issues with the Search Guard products. Search Guard/floragunn assigns both a CVE and an SGSA identifier to each advisory along with a summary and remediation and mitigation details.

For how to report a security issue please see Disclosure Policy.
SGSA ID (formerly SGSA)CVEdate disclosedVulnerability SummaryRemediation Summaryfixed withreported by
SGSA 232026-03-31The audit logging feature might log user credentials from users logging into KibanaUpdate or disable request-body logging, either globally searchguard.audit.log_request_body: false or specifically searchguard.audit.ignore_request_bodies: ["/_searchguard/auth/session"]FLX4.1.0floragunn
SGSA 222026-03-31There exists an issue which allows users without the necessary privileges to execute some management operations against data streamsUpdate or configure indices:admin/data_stream/modify as an admin-only actionFLX4.1.0floragunn
SGSA 212026-03-31It is possible to use specially crafted requests to redirect the user to an untrusted URLUpdateFLX4.1.0floragunn
SGSA 202025-12-01When enterprise modules are disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges.UpdateFLX4.0.1floragunn
SGSA 192025-11-14When a search is initiated from a Signals watch, DLS rules may not be properly enforced, resulting in access to protected documents within the queried indices.UpdateFLX3.1.3floragunn
SGSA 182025-10-29When field masking (FM) is applied on fields of type IP, the document can still be searched using that IP fieldUpdateFLX3.1.2floragunn
SGSA 172025-10-29When field level security (FLS) is applied on fields that hold objects, the member attribute of that object remains available to search queriesUpdateFLX3.1.2floragunn
SGSA 162019-03-19When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to seeUpdate6.x-24.3floragunn
SGSA 152018-12-13Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activatedUpdate6.x-24.0floragunn
SGSA 142018-12-13Values of string arrays in data are not properly anonymizedUpdate6.x-24.0floragunn
SGSA 132018-03-19Possible URL injection on login page when basePath is setUpdateKibana plugin 6.x-16floragunn
SGSA 12
CVE-2019-13421

SYSS-2018-025
2018-08-24REST API leak password hashes (not cleartext) for users endpointUpdate6.x-23.1Thorsten Lutz, SySS GmbH
SGSA 112018-09-14For aggregations, clear text values of anonymised fields were leakedUpdate6.x-23.1floragunn
SGSA 102018-01-18Password dependent timing side channel in AuthCredentialsUpdate6.x-21.0@madblobfish
SGSA 92018-04-09A Kibana user could impersonate as kibanaserver user, when providing wrong credentialsUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Guy Moller
SGSA 82018-04-04Redirect and XSS vulnerability in Kibana pluginUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Vineet Kumar
SGSA 7n/a2017-08-10DLS/FLS leaking information, when multitenancy module is installed and “do not fail on forbidden” is activatedUpdate or deactivate “do not fail on forbidden”SG v15Guy Moller
SGSA 6n/a2017-02-13FLS/DLS not working for regex index patternsUpdate or avoid regex patternsSG v11 and DLS/FLS module v6Guy Moller
SGSA 5n/a2017-01-13Auditlog does not log all security relevant eventsUpdateSG V10Guy Moller
SGSA 4n/a2017-01-05FLS/DLS not working for index patternsUpdateSG v10 and DLS/FLS module v5Matej Zerovnik
SGSA 3n/a2016-11-27Wrong permissions resolution for certain index/type combinationsUpdate6.x-23.1Lucas Bremgartner
SGSA 2n/a2016-11-25DLS not picked up when getting documents by IDUpdateSG v9 and DLS/FLS module v5Fabio Corneti
SGSA 1n/a2016-07-28Authentication cache lead to password hashcode vulnerabilityUpdateSG V4Vladimir Gordiychuk

Free 60-day Trial

Want to see how your company can benefit from Search Guard? Give our 60-day trial a spin, free of charge, no credit card required.
start free trial
Sign up for Search Guard Newsletter