A flaw was found in Kibana versions before 6.1.3 and 5.6.7. The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, there is an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. References: https://www.elastic.co/community/security
Not a bug. Openshift does not ship xpack as part of the kibana image.
(In reply to Jeff Cantrill from comment #4) > Not a bug. Openshift does not ship xpack as part of the kibana image. Sorry not sure what the needinfo is for? As far as security trackers go, the low/moderate are largely up to the product team to fix if they want to, or if they catch it on a rebase due to a later upgrade. For important and critical PS will poke you. For details on the changes to the RHSA process please see: https://mojo.redhat.com/groups/product-security/blog/2018/02/05/changes-to-the-rhsa-errata-process
Statement: This issue affects the versions of kibana as shipped with Red Hat OpenShift Enterprise Linux. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.