cve advisory
floragunn GmbH is the official CVE numbering authority for Search Guard. Any security related issue is published here.
About Search Guard Security Advisories
An Search Guard Security Advisory (“SGSA”) is a notice from Search Guard/floragunn GmbH to its users of security issues with the Search Guard products. Search Guard/floragunn assigns both a CVE and an SGSA identifier to each advisory along with a summary and remediation and mitigation details.
For how to report a security issue please see Disclosure Policy.
For how to report a security issue please see Disclosure Policy.
| SGSA ID (formerly SGSA) | CVE | date disclosed | Vulnerability Summary | Remediation Summary | fixed with | reported by |
|---|---|---|---|---|---|---|
| SGSA 16 | 2019-03-19 | When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to see | Update | 6.x-24.3 | floragunn | |
| SGSA 15 | 2018-12-13 | Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activated | Update | 6.x-24.0 | floragunn | |
| SGSA 14 | 2018-12-13 | Values of string arrays in data are not properly anonymized | Update | 6.x-24.0 | floragunn | |
| SGSA 13 | 2018-03-19 | Possible URL injection on login page when basePath is set | Update | Kibana plugin 6.x-16 | floragunn | |
| SGSA 12 | 2018-08-24 | REST API leak password hashes (not cleartext) for users endpoint | Update | 6.x-23.1 | Thorsten Lutz, SySS GmbH | |
| SGSA 11 | 2018-09-14 | For aggregations, clear text values of anonymised fields were leaked | Update | 6.x-23.1 | floragunn | |
| SGSA 10 | 2018-01-18 | Password dependent timing side channel in AuthCredentials | Update | 6.x-21.0 | @madblobfish | |
| SGSA 9 | 2018-04-09 | A Kibana user could impersonate as kibanaserver user when providing wrong credentials | Update | Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 | Guy Moller | |
| SGSA 8 | 2018-04-04 | Redirect and XSS vulnerability in Kibana plugin | Update | Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12 | Vineet Kumar | |
| SGSA 7 | n/a | 2017-08-10 | DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activated | Update or deactivate “do not fail on forbidden” | SG v15 | Guy Moller |
| SGSA 6 | n/a | 2017-02-13 | FLS/DLS not working for regex index patterns | Update or avoid regex patterns | SG v11 and DLS/FLS module v6 | Guy Moller |
| SGSA 5 | n/a | 2017-01-13 | Auditlog does not log all security relevant events | Update | SG V10 | Guy Moller |
| SGSA 4 | n/a | 2017-01-05 | FLS/DLS not working for index patterns | Update | SG v10 and DLS/FLS module v5 | Matej Zerovnik |
| SGSA 3 | n/a | 2016-11-27 | Wrong permissions resolution for certain index/type combinations | Update | 6.x-23.1 | Lucas Bremgartner |
| SGSA 2 | n/a | 2016-11-25 | DLS not picked up when getting documents by ID | Update | SG v9 and DLS/FLS module v5 | Fabio Corneti |
| SGSA 1 | n/a | 2016-07-28 | Authentication cache lead to password hashcode vulnerability | Update | SG V4 | Vladimir Gordiychuk |
Search Guard Security Information
Access public keys, CVE advisory and disclosure policy.
see security information
