CVE – advisory

About Search Guard Security Advisories

An Search Guard Security Advisory (“SGSA”) is a notice from Search Guard/floragunn GmbH to its users of security issues with the Search Guard products. Search Guard/floragunn assigns both a CVE (since 2018) and an SGSA identifier to each advisory along with a summary and remediation and mitigation details.

For how to report a security issue please see Disclosure policy

(formerly SISG)
CVE Date
SGSA 16 CVE-2019-13416



When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to see

Update  6.x-24.3 floragunn
SGSA 15 CVE-2019-13417 2018-12-13

Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activated

Update   6.x-24.0 floragunn
SGSA 14 CVE-2019-13418 2018-12-13

Values of string arrays in data are not properly anonymized

Update   6.x-24.0 floragunn
SGSA 13 CVE-2018-20698 2018-11-12

Possible URL injection on login page when basePath is set

Update  Kibana plugin 6.x-16 floragunn
SGSA 12 CVE-2019-13421



REST API leak password hashes (not cleartext) for users endpoint

Update  6.x-23.1 Thorsten Lutz, SySS GmbH
SGSA 11 CVE-2019-13419 2018-09-14

For aggregations, clear text values of anonymised fields were leaked

Update 6.x-23.1 floragunn
SGSA 10 CVE-2019-13420 2018-01.18 Password dependent timing side channel in AuthCredentials Update 6.x-21.0 @madblobfish

A Kibana user could impersonate as kibanaserver user when providing wrong credentials

Update Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 Guy Moller
SGSA 8 CVE-2019-13422 2018-04-04

Redirect and XSS vulnerability in Kibana plugin

Update Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 Vineet Kumar
SGSA 7 n/a 2017-08-10

DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activated

Update or deactivate “do not fail on forbidden” SG v15 Guy Moller
SGSA 6 n/a 2017-02-13

FLS/DLS not working for regex index patterns

Update or avoid regex patterns SG v11 and DLS/FLS module v6 Guy Moller
SGSA 5 n/a 2017-01-03

Auditlog does not log all security relevant events

Update SG v10 Guy Moller
SGSA 4 n/a 2017-01-05

FLS/DLS not working for index patterns

Update SG v10 and DLS/FLS module v5 Matej Zerovnik
SGSA 3 n/a 2016-11-27

Wrong permissions resolution for certain index/type combinations

Update SG v9 Lucas Bremgartner
SGSA 2 n/a 2016-11-25

DLS not picked up when getting documents by ID#1

Update SG v9 and DLS/FLS module v5 Fabio Corneti
SGSA 1 n/a 2016-07-28

Authentication cache lead to password hashcode vulnerability #186

Update SG v4 Vladimir Gordiychuk

Search Guard Security Information

pmeloCVE – advisory