CVE-2020-27816

Name of the Vulnerable Software and Affected Versions elasticsearch-operator-container versions prior to 4.7

Description The issue arises from the elasticsearch-operator's failure to validate the namespace where the kibana logging resource is created. This allows for the potential replacement of the original openshift-logging console link with a different one, based on a new CR for a new kibana resource. As a result, this could lead to arbitrary URL redirection or damage to the openshift-logging console link.

Recommendations For versions prior to 4.7, update to version 4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the kibana logging resource creation to minimize the risk of exploitation.