Node.js vulnerabilities

We use Elasticsearch/Kibana and we continually have our scanners flagging node.js vulnerabilities b/c the version of node.js is present in our applications/on our nodes. The issue is Elastic has not called out any of these CVE's as impacting Elasticsearch or Kibana. So my assumption is that even though the version of node.js that has open CVE's is present in our deployment, Elastic has determined the functionality impacted by this CVE is not used in Elasticsearch/Kibana. Or, Elasticsearch/Kibana is not impacted for some other reason. I am trying to test the assumption that if Elastic does not report they are impacted by a CVE then it's safe to assume the CVE is n/a. Furthermore, if the CVE is not listed here then it's N/A: Security Announcements - Discuss the Elastic Stack

CVE-2024-27983, CVE-2024-27982,CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019

Hey @jloas ,

Can you please share the Elastic Stack version you're using?

Also, please send any questions regarding security statements and CVEs to security@elastic.co. The team will happily provide you with the necessary information.

--
Oleg

8.13.2 basic free version. I know this has node.js 20.12.1.

I see, please email to security@elastic.co, I'm pretty sure we have official statements for all these CVEs (I recognize many of them) so that you don't have to guess.