vulnerability

Elastic Kibana: CVE-2020-27816: URL Redirection to Untrusted Site

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Dec 2, 2020	Sep 3, 2025	Sep 3, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Dec 2, 2020

Added

Sep 3, 2025

Modified

Sep 3, 2025

Description

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7.

Solution

elastic-kibana-upgrade-latest

References

CWE-601
CVE-2020-27816
https://attackerkb.com/topics/CVE-2020-27816
URL-https://bugzilla.redhat.com/show_bug.cgi?id=1902698

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today