In the OpenShift Container Platform 4.x the kibana logging console might be manipulated or even completely damaged by any user who create kibana resource in a non openshift-logging namespace. Due to that the console links is recreated by the elasticsearch-operator based on the new CR. If the new kibana resource is removed then the openshift-logging console link does not back to the original one but completely is lost.
This flaw could lead to an arbitrary URL redirection or the openshift-logging console link full damage.
Name: Aivaras Laimikis
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:0310 https://access.redhat.com/errata/RHSA-2021:0310
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):