CVE – advisory

About Search Guard Security Advisories

An Search Guard Security Advisory (“SGSA”) is a notice from Search Guard/floragunn GmbH to its users of security issues with the Search Guard products. Search Guard/floragunn assigns both a CVE and an SGSA identifier to each advisory along with a summary and remediation and mitigation details.

For how to report a security issue please see Disclosure policy

(formerly SISG)
CVE Date
SISG 16 2019-03-19

When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to see

Update  6.x-24.3 floragunn
SISG 15 2018-12-13

Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activated

Update   6.x-24.0 floragunn
SISG 14 2018-12-13

Values of string arrays in data are not properly anonymized

Update   6.x-24.0 floragunn
SISG 13 2018-11-12

Possible URL injection on login page when basePath is set

Update  Kibana plugin 6.x-16 floragunn
SISG 12 SYSS-2018-025 2018-08-24

REST API leak password hashes (not cleartext) for users endpoint

Update  6.x-23.1 Thorsten Lutz, SySS GmbH
SISG 11 2018-09-14

For aggregations, clear text values of anonymised fields were leaked

Update 6.x-23.1 floragunn
SISG 10 2018-01.18 Password dependent timing side channel in AuthCredentials Update 6.x-21.0 @madblobfish
SISG 9 2018-04-09

A Kibana user could impersonate as kibanaserver user when providing wrong credentials

Update Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 Guy Moller
SISG 8 2018-04-04

Redirect and XSS vulnerability in Kibana plugin

Update Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 Vineet Kumar
SISG 7 2017-08-10

DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activated

Update or deactivate “do not fail on forbidden” SG v15 Guy Moller
SISG 6 2017-02-13

FLS/DLS not working for regex index patterns

Update or avoid regex patterns SG v11 and DLS/FLS module v6 Guy Moller
SISG 5 2017-01-03

Auditlog does not log all security relevant events

Update SG v10 Guy Moller
SISG 4 2017-01-05

FLS/DLS not working for index patterns

Update SG v10 and DLS/FLS module v5 Matej Zerovnik
SISG 3 2016-11-27

Wrong permissions resolution for certain index/type combinations

Update SG v9 Lucas Bremgartner
SISG 2 2016-11-25

DLS not picked up when getting documents by ID#1

Update SG v9 and DLS/FLS module v5 Fabio Corneti
SISG 1 2016-07-28

Authentication cache lead to password hashcode vulnerability #186

Update SG v4 Vladimir Gordiychuk

Search Guard Security Information

pmeloCVE – advisory