Error message discloses internal path
Advisory ID: SVD-2022-0507 Published: 2022-05-03 CVSSv3.1 Score: 4.3, Medium CWE: CWE-200 |
CVE ID: CVE-2022-26070 Last Update: 2022-05-03 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
Description
When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.
The vulnerability impacts instances with Splunkweb enabled. See Disable unnecessary Splunk Enterprise components and web.conf for more information on disabling Splunkweb.
Solution
Upgrade Splunk Enterprise to 8.1.0 or later.
Product Status
Product | Version | Affected Versions | Fix Version |
---|---|---|---|
Splunk Enterprise | 8.1 | - | 8.1.0 |
The vulnerability does not impact Splunk Cloud Platform instances.
Acknowledgments
Dipak Prajapati (Lethal)