cve advisory

floragunn GmbH is the official CVE numbering authority for Search Guard. Any security related issue is published here.

About Search Guard Security Advisories
An Search Guard Security Advisory (“SGSA”) is a notice from Search Guard/floragunn GmbH to its users of security issues with the Search Guard products. Search Guard/floragunn assigns both a CVE and an SGSA identifier to each advisory along with a summary and remediation and mitigation details.

For how to report a security issue please see Disclosure Policy.
SGSA ID (formerly SGSA)CVEdate disclosedVulnerability SummaryRemediation Summaryfixed withreported by
SGSA 162019-03-19When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to seeUpdate6.x-24.3floragunn
SGSA 152018-12-13Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activatedUpdate6.x-24.0floragunn
SGSA 142018-12-13Values of string arrays in data are not properly anonymizedUpdate6.x-24.0floragunn
SGSA 132018-03-19Possible URL injection on login page when basePath is setUpdateKibana plugin 6.x-16floragunn
SGSA 12
CVE-2019-13421

SYSS-2018-025
2018-08-24REST API leak password hashes (not cleartext) for users endpointUpdate6.x-23.1Thorsten Lutz, SySS GmbH
SGSA 112018-09-14For aggregations, clear text values of anonymised fields were leakedUpdate6.x-23.1floragunn
SGSA 102018-01-18Password dependent timing side channel in AuthCredentialsUpdate6.x-21.0@madblobfish
SGSA 92018-04-09A Kibana user could impersonate as kibanaserver user when providing wrong credentialsUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Guy Moller
SGSA 82018-04-04Redirect and XSS vulnerability in Kibana pluginUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Vineet Kumar
SGSA 7n/a2017-08-10DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activatedUpdate or deactivate “do not fail on forbidden”SG v15Guy Moller
SGSA 6n/a2017-02-13FLS/DLS not working for regex index patternsUpdate or avoid regex patternsSG v11 and DLS/FLS module v6Guy Moller
SGSA 5n/a2017-01-13Auditlog does not log all security relevant eventsUpdateSG V10Guy Moller
SGSA 4n/a2017-01-05FLS/DLS not working for index patternsUpdateSG v10 and DLS/FLS module v5Matej Zerovnik
SGSA 3n/a2016-11-27Wrong permissions resolution for certain index/type combinationsUpdate6.x-23.1Lucas Bremgartner
SGSA 2n/a2016-11-25DLS not picked up when getting documents by IDUpdateSG v9 and DLS/FLS module v5Fabio Corneti
SGSA 1n/a2016-07-28Authentication cache lead to password hashcode vulnerabilityUpdateSG V4Vladimir Gordiychuk
ct icon
Search Guard Security Information
Access public keys, CVE advisory and disclosure policy.
arrow icon
follow us
twitter iconfacebook iconlinkedIn iconyoutube icon
stay updated
For the latest product developments, new versions and cybersecurity news, sign up to our newsletter.