In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization. References: https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786 https://www.elastic.co/community/security/
External References: https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786 https://www.elastic.co/community/security/
Statement: In Red Hat OpenShift Container Platform (RHOCP) the affected Kibana region map visualization is behind OpenShift OAuth authentication. This restricts access to the vulnerable visualization to authenticated users only, therefore the impact is Low. Red Hat OpenShift Container Platform 4 delivers Kibana package where the region map visualization is included, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.