It was discovered that kibana could be opened in an iframe, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in kibana (clickjacking).
Upstream issue: https://github.com/gardener/gardener/issues/1860
The previous upstream issue references a similar issue in gardener, however the correct upstream project for this OpenShift Container Platform (OCP) component is actually github.com/elastic/kibana. They don't consider this a vulnerability, but may address it in a future release. For a discussion on this topic, see the this upstream issue: https://github.com/elastic/kibana/issues/52809 The CVE assigned for this issue is for OCP's deployment of kibana only, not the upstream project.
Statement: This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version: https://github.com/elastic/kibana/issues/52809
Mitigation: Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem: config/kibana.yml: server.customResponseHeaders: {"x-frame-options":"deny"} or server.customResponseHeaders: {"x-frame-options":"sameorigin"} [1] https://github.com/elastic/kibana/pull/13045
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3727 https://access.redhat.com/errata/RHSA-2020:3727
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10743
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298