Node.js vulnerabilities

jloas · May 8, 2024, 7:33pm

We use Elasticsearch/Kibana and we continually have our scanners flagging node.js vulnerabilities b/c the version of node.js is present in our applications/on our nodes. The issue is Elastic has not called out any of these CVE's as impacting Elasticsearch or Kibana. So my assumption is that even though the version of node.js that has open CVE's is present in our deployment, Elastic has determined the functionality impacted by this CVE is not used in Elasticsearch/Kibana. Or, Elasticsearch/Kibana is not impacted for some other reason. I am trying to test the assumption that if Elastic does not report they are impacted by a CVE then it's safe to assume the CVE is n/a. Furthermore, if the CVE is not listed here then it's N/A: Security Announcements - Discuss the Elastic Stack

CVE-2024-27983, CVE-2024-27982,CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019

azasypkin · May 10, 2024, 8:46am

Hey @jloas ,

Can you please share the Elastic Stack version you're using?

Also, please send any questions regarding security statements and CVEs to security@elastic.co. The team will happily provide you with the necessary information.

--
Oleg

jloas · May 10, 2024, 1:07pm

8.13.2 basic free version. I know this has node.js 20.12.1.

azasypkin · May 10, 2024, 2:30pm

I see, please email to security@elastic.co, I'm pretty sure we have official statements for all these CVEs (I recognize many of them) so that you don't have to guess.

Topic		Replies	Views
Kibana version 8.12.0 Vulnerabilities Kibana	2	275	May 3, 2024
ELK Security Kibana	6	84	August 26, 2024
Expected resolution for some vulnerabilities found Elasticsearch elastic-stack-security	1	42	November 9, 2024
Elastic Stack 6.8.7 and 7.6.1 security update Security Announcements	1	5961	November 4, 2022
Security Warning: Multiple Node.js Vulnerabilities Detected in Elasticsearch Kibana	0	72	August 14, 2024

Node.js vulnerabilities

Related topics