Host Header Injection in Splunk Enterprise
Advisory ID: SVD-2022-1102
CVE ID: CVE-2022-43562
Published: 2022-11-02
Last Update: 2022-11-02
CVSSv3.1 Score: 3.0, Low, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
CWE: CWE-20
Bug ID: SPL-224156
Description
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.
Solution
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.11 and lower | 8.1.12 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.8 | 8.2.9 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.1 | 9.0.2 |
| Splunk Cloud Platform | Splunk Web | 9.0.2205 and lower | 9.0.2208 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rated the vulnerability as Low. The vulnerability could potentially let a remote authenticated user inject scripts or manipulate server side behavior through a specially crafted HTTP request. Splunk has not, however, observed a direct exploitation technique. Hence, Splunk scored the vulnerability as 3.0 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N.
Acknowledgments
Ali Mirheidari at Splunk