If you create a kiali instance, then you can specify any project in yaml and it will be installed there, ignoring the rights to this project. If current user has edit permissions to 'user-namespace' but not to 'any-namespace', kiali anyway will be created in 'any-namespace'. Reference: https://issues.redhat.com/browse/KIALI-3278
Very similar to https://access.redhat.com/security/cve/cve-2020-14306 where an attacker would need some level of privilege to begin with.
Upstream fix: https://github.com/kiali/kiali-operator/pull/278
Acknowledgments: Name: Vladimir Andryushin (VTB Bank (PJSC))
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2021:1544 https://access.redhat.com/errata/RHSA-2021:1544
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3495
External References: https://kiali.io/news/security-bulletins/kiali-security-003/
Statement: In regards to the ServiceMesh `openshift-service-mesh/kiali-rhel7` container, it has been superseded by the `openshift-service-mesh/kiali-rhel8` container and is no longer supported.