We use Elasticsearch/Kibana and we continually have our scanners flagging node.js vulnerabilities b/c the version of node.js is present in our applications/on our nodes. The issue is Elastic has not called out any of these CVE's as impacting Elasticsearch or Kibana. So my assumption is that even though the version of node.js that has open CVE's is present in our deployment, Elastic has determined the functionality impacted by this CVE is not used in Elasticsearch/Kibana. Or, Elasticsearch/Kibana is not impacted for some other reason. I am trying to test the assumption that if Elastic does not report they are impacted by a CVE then it's safe to assume the CVE is n/a. Furthermore, if the CVE is not listed here then it's N/A: Security Announcements - Discuss the Elastic Stack
CVE-2024-27983, CVE-2024-27982,CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019