Host Header Injection in Splunk Enterprise
Advisory ID: SVD-2022-1102
CVE ID: CVE-2022-43562
Last Update: 2022-11-02
CVSSv3.1 Score: 3.0, Low, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Bug ID: SPL-224156
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.11 and lower||8.1.12|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.8||8.2.9|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.1||9.0.2|
|Splunk Cloud Platform||Splunk Web||9.0.2205 and lower||9.0.2208|
Mitigations and Workarounds
Splunk rated the vulnerability as Low. The vulnerability could potentially let a remote authenticated user inject scripts or manipulate server side behavior through a specially crafted HTTP request. Splunk has not, however, observed a direct exploitation technique. Hence, Splunk scored the vulnerability as 3.0 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N.
Ali Mirheidari at Splunk