Today we're releasing Kibana version 5.0.1 with a security fix as well as a couple other important bug fixes. We're also release Kibana version 4.6.3 with the same security fix.
Kibana 5.0.1 and 4.6.3 fix an open redirect vulnerability in the short URL feature that would allow an attacker to create a redirect from the Kibana domain to a different website. We've assigned this vulnerability the identifier ESA-2016-09. Thank you to the GE Digital Security Team for finding and reporting the issue.
Kibana 5.0.1 bug fixes:
- The error message that gets rendered when sessionStorage is disabled in the browser has been updated to reflect the nature of the issue and now includes information specific to Safari in private browsing mode, which was the most common scenario that a person would encounter this error in the first place. #8343
- When trailing slashes are automatically removed in the form of a redirect, the basePath configuration is now honored. #8966
- The Sharing UI now properly renders when using the dark theme in a dashboard. #8941
- Tile map bounding boxes no longer create filters with invalid bounds, which would previously trigger errors in the Elasticsearch aggregation response. #8959