The 5.4.3 release contains an important security fix in X-Pack Security. Please read the details below.
Security Fixes in X-Pack 5.4.3
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability. Kibana users concerned with this issue should upgrade to version 5.4.3 or later.
Other Fixes and Enhancements in 5.4.3
- [licenses] Bump ua-parser-js override #12474