Bug 1865760 (CVE-2020-7017)

Summary: CVE-2020-7017 kibana: stored XSS in region map visualization
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kibana 7.8.1, kibana 6.8.11 Doc Type: If docs needed, set a value
Doc Text:
A stored Cross-site scripting (XSS) flaw was found in the region map visualization in kibana. This flaw allows an attacker who can edit or create a region map visualization to obtain sensitive information or perform destructive actions on behalf of kibana users who view the region map visualization. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:25:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1871828, 1871829    
Bug Blocks: 1865761    

Description Dhananjay Arunesh 2020-08-04 04:55:58 UTC 
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

References:
https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786
https://www.elastic.co/community/security/
Comment 3 Przemyslaw Roguski 2020-08-21 17:15:14 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786
https://www.elastic.co/community/security/
Comment 7 Przemyslaw Roguski 2020-08-25 07:39:22 UTC 
Statement:

In Red Hat OpenShift Container Platform (RHOCP) the affected Kibana region map visualization is behind OpenShift OAuth authentication. This restricts access to the vulnerable visualization to authenticated users only, therefore the impact is Low.

Red Hat OpenShift Container Platform 4 delivers Kibana package where the region map visualization is included, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.