we have found two security issues in the Search Guard Kibana plugin:
SISG-9: Kibana user can impersonate as the kibanaserver user when using Single-Sign-On
SISG-8: Redirect and XSS vulnerability on the Kibana login page
More information can be found on our Security Issues page:
The issues have already been fixed for Kibana 6.x and 5.6.8. We recommend upgrading the Kibana plugin to the latest version as soon as possible!
Jochen and the Search Guard team
Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication and authorisation.
Coded with love in Berlin, Denmark, Sweden and the US.
Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.
Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.