In the OpenShift Container Platform 4.x the kibana logging console might be manipulated or even completely damaged by any user who create kibana resource in a non openshift-logging namespace. Due to that the console links is recreated by the elasticsearch-operator based on the new CR. If the new kibana resource is removed then the openshift-logging console link does not back to the original one but completely is lost. This flaw could lead to an arbitrary URL redirection or the openshift-logging console link full damage.
Fixes: https://github.com/openshift/elasticsearch-operator/pull/581 https://github.com/openshift/elasticsearch-operator/pull/587
Acknowledgments: Name: Aivaras Laimikis
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0310 https://access.redhat.com/errata/RHSA-2021:0310
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27816