CVE-2022-37438

2022-08-1621:15:13

CWE-200

[email protected]

web.nvd.nist.gov

splunk enterprise

authenticated user

dashboard

information leakage

vulnerability

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

22.7%

JSON

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

Affected configurations

Nvd

Node

splunksplunkRange8.1.0–8.1.11enterprise

splunksplunkRange8.2.0–8.2.7.1enterprise

splunksplunkMatch9.0.0enterprise

splunksplunk_cloud_platformRange≤8.2.2203.4

VendorProductVersionCPE
splunksplunk*cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
splunksplunk9.0.0cpe:2.3:a:splunk:splunk:9.0.0:*:*:*:enterprise:*:*:*
splunksplunk_cloud_platform*cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
splunk	splunk	*	cpe:2.3:a:splunk:splunk:::::enterprise:::*
splunk	splunk	9.0.0	cpe:2.3:a:splunk:splunk:9.0.0::::enterprise:::
splunk	splunk_cloud_platform	*	cpe:2.3:a:splunk:splunk_cloud_platform::::::::