Bug 1364389 (CVE-2016-1000220)

Summary: CVE-2016-1000220 kibana: XSS vulnerability ESA-2016-03
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, jgoulding, jialiu, jkeck, joelsmith, jokerman, jschluet, kbasil, kseifried, lhh, lmeyer, lpeer, markmc, mmagr, mmccomas, mrunge, rbryant, sclewis, slong, tdawson, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kibana 4.5.4, kibana 4.1.11 Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Kibana. A remote attacker could use this flaw to inject arbitrary web script into pages served to other users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-08 21:57:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1370891, 1370892    
Bug Blocks: 1364395    

Description Adam Mariš 2016-08-05 09:11:00 UTC 
It was reported that versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.

External Reference:

https://www.elastic.co/community/security
Comment 4 errata-xmlrpc 2016-09-08 16:23:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:1836 https://access.redhat.com/errata/RHSA-2016:1836