A flaw was found in Kibana versions before 6.1.3 and 5.6.7. The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, there is an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Not a bug. Openshift does not ship xpack as part of the kibana image.
(In reply to Jeff Cantrill from comment #4)
> Not a bug. Openshift does not ship xpack as part of the kibana image.
Sorry not sure what the needinfo is for?
As far as security trackers go, the low/moderate are largely up to the product team to fix if they want to, or if they catch it on a rebase due to a later upgrade. For important and critical PS will poke you. For details on the changes to the RHSA process please see:
This issue affects the versions of kibana as shipped with Red Hat OpenShift Enterprise Linux. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.