SGSA 16 | | 2019-03-19 | When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to see | Update | 6.x-24.3 | floragunn |
SGSA 15 | | 2018-12-13 | Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activated | Update | 6.x-24.0 | floragunn |
SGSA 14 | | 2018-12-13 | Values of string arrays in data are not properly anonymized | Update | 6.x-24.0 | floragunn |
SGSA 13 | | 2018-03-19 | Possible URL injection on login page when basePath is set | Update | Kibana plugin 6.x-16 | floragunn |
SGSA 12 | | 2018-08-24 | REST API leak password hashes (not cleartext) for users endpoint | Update | 6.x-23.1 | Thorsten Lutz, SySS GmbH |
SGSA 11 | | 2018-09-14 | For aggregations, clear text values of anonymised fields were leaked | Update | 6.x-23.1 | floragunn |
SGSA 10 | | 2018-01-18 | Password dependent timing side channel in AuthCredentials | Update | 6.x-21.0 | @madblobfish |
SGSA 9 | | 2018-04-09 | A Kibana user could impersonate as kibanaserver user when providing wrong credentials | Update | Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 | Guy Moller |
SGSA 8 | | 2018-04-04 | Redirect and XSS vulnerability in Kibana plugin | Update | Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 | Vineet Kumar |
SGSA 7 | n/a | 2017-08-10 | DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activated | Update or deactivate “do not fail on forbidden” | SG v15 | Guy Moller |
SGSA 6 | n/a | 2017-02-13 | FLS/DLS not working for regex index patterns | Update or avoid regex patterns | SG v11 and DLS/FLS module v6 | Guy Moller |
SGSA 5 | n/a | 2017-01-13 | Auditlog does not log all security relevant events | Update | SG V10 | Guy Moller |
SGSA 4 | n/a | 2017-01-05 | FLS/DLS not working for index patterns | Update | SG v10 and DLS/FLS module v5 | Matej Zerovnik |
SGSA 3 | n/a | 2016-11-27 | Wrong permissions resolution for certain index/type combinations | Update | 6.x-23.1 | Lucas Bremgartner |
SGSA 2 | n/a | 2016-11-25 | DLS not picked up when getting documents by ID | Update | SG v9 and DLS/FLS module v5 | Fabio Corneti |
SGSA 1 | n/a | 2016-07-28 | Authentication cache lead to password hashcode vulnerability | Update | SG V4 | Vladimir Gordiychuk |