Error message discloses internal path
Advisory ID: SVD-2022-0507
CVE ID: CVE-2022-26070
Published: 2022-05-03
Last Update: 2022-05-03
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Bug ID: SPL-180503
Description
When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.
The vulnerability impacts instances with Splunk Web enabled. See Disable unnecessary Splunk Enterprise components and web.conf for more information on disabling Splunk Web.
Solution
Upgrade Splunk Enterprise to 8.1.0 or later.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | Versions below 8.1 | 8.1.0 |
The vulnerability does not impact Splunk Cloud Platform instances.
Acknowledgments
Dipak Prajapati (Lethal)