Information disclosure via the dashboard drilldown in Splunk Enterprise
Advisory ID: SVD-2022-0802
CVE ID: CVE-2022-37438
Last Update: 2022-08-16
CVSSv3.1 Score: 2.6, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Bug ID: SPL-221531
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.
For Splunk Enterprise, upgrade versions to 8.1.11, 18.104.22.168, 9.0.1, or higher.
For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.10 and lower||8.1.11|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.7||22.214.171.124|
|Splunk Enterprise||9.0||Splunk Web||9.0.0||9.0.1|
|Splunk Cloud Platform||Splunk Web||8.2.2203.4 and lower||9.0.2205|
Mitigations and Workarounds
You can mitigate this vulnerability by configuring permissions for dashboards and the knowledge objects that drive them.
This search uses REST functionality to query for dashboards with environment variables present in URL options that could potentially leak information about Splunk users. If an analyst sees results from this search we suggest investigating to determine if the disclosure of these environmental variables was intended.
Splunk rates the severity as Low, 2.6 with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. If the Splunk Enterprise instance disabled Splunk Web, it is not impacted and the vulnerability is informational.
Eric LaMothe at Splunk