//www.splunk.com
en_us
Splunk
  • Pricing
  • Training
  • Support
    • Support Portal
    • Support Programs
    • Contact Support
    • Splunk Answers
    • Documentation
    • Product Security Updates
    • Getting Started with Splunk Software
    • Community Support
    • Splunk Services
    • Deutsch
    • Español
    • Français
    • Italiano
    • 日本語
    • 한국어
    • Português
    • Pусский
    • 简体中文
    • 繁體中文
    • Login
    • Sign Up
Splunk
  • IT
  • SECURITY
  • IoT
  • BUSINESS ANALYTICS
  • WHY SPLUNK?
  • EXPLORE
    Products | Overview
    CORE
    • Splunk Cloud
    • Splunk Enterprise
    • Splunk Investigate
    • Splunk Data Fabric Search
    • Splunk Data Stream Processor
    IT OPERATIONS
    • Splunk IT Service Intelligence
    • SignalFx
    • VictorOps
    • Splunk Insights for AWS Cloud Monitoring
    • Splunk App for Infrastructure
    SECURITY
    • Splunk Enterprise Security
    • Splunk Phantom
    • Splunk User Behavior Analytics
    IoT
    • Splunk for Industrial IoT
    BUSINESS ANALYTICS
    • Splunk Business Flow
    Industries
    • Communications
    • Financial Services
    • Healthcare
    • Public Sector
    • All Industries
    Company
    • About Splunk
    • Customers
    • Partners
    • Trek-Segafredo Partnership
    • Pricing
    • Value Calculator
    • Blogs
    • Free Trials and Downloads
    • Resources
  • Free Splunk
Splunk Free Splunk
Login | Sign Up
IT
SECURITY
IoT
BUSINESS ANALYTICS
WHY SPLUNK?
Products
Overview
  • CORE
  • Splunk Cloud
  • Splunk Enterprise
  • Splunk Investigate
  • Splunk Data Fabric Search
  • Splunk Data Stream Processor
  • IT OPERATIONS
  • Splunk IT Service Intelligence
  • SignalFx
  • VictorOps
  • Splunk Insights for AWS Cloud Monitoring
  • Splunk App for Infrastructure
  • SECURITY
  • Splunk Enterprise Security
  • Splunk Phantom
  • Splunk User Behavior Analytics
  • IoT
  • Splunk for Industrial IoT
  • BUSINESS ANALYTICS
  • Splunk Business Flow
Industries
  • Communications
  • Financial Services
  • Healthcare
  • Public Sector
  • All Industries
Company
  • About Splunk
  • Customers
  • Partners
  • Trek-Segafredo Partnership
Pricing
Value Calculator
Blogs
Free Trials and Downloads
Resources
Pricing
Training
Support
  • Support Portal
  • Support Programs
  • Contact Support
  • Splunk Answers
  • Documentation
  • Product Security Updates
  • Getting Started with Splunk Software
  • Community Support
  • Splunk Services
Languages
  • Deutsch
  • Español
  • Français
  • Italiano
  • 日本語
  • 한국어
  • Português
  • Pусский
  • 简体中文
  • 繁體中文
  • Documentation
  • Splunk Answers
  • Product Security
  • Programs
  • Support Portal

Splunk Enterprise 6.6.3 and Splunk Light 6.6.3 address multiple vulnerabilities

Table of Contents

• Description
• Affected Products and Components
• Mitigation and Upgrades
• Vulnerability Descriptions and Ratings
• Persistent Cross Site Scripting in Splunk Web (SPL-142874)
• Reflected Cross Site Scripting in Splunk Web (SPL-142877)

Description

Splunk Enterprise 6.6.3 and Splunk Light 6.6.3 address multiple vulnerabilities

  • Persistent Cross Site Scripting in Splunk Web (SPL-142874)
  • Reflected Cross Site Scripting in Splunk Web (SPL-142877)

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

  • Persistent Cross Site Scripting in Splunk Web (SPL-142874)
    • Affected Product Versions: Splunk Enterprise versions 6.6.x earlier than 6.6.3 and Splunk Light versions 6.6.x earlier than 6.6.3.
    • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Reflected Cross Site Scripting in Splunk Web (SPL-142877)
    • Affected Product Versions: Splunk Enterprise versions 6.6.x earlier than 6.6.3 and Splunk Light versions 6.6.x earlier than 6.6.3.
    • Affected Components: All Splunk Enterprise components running Splunk Web.

    Mitigation and Upgrades

    To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

    Vulnerability Descriptions and Ratings

    Persistent Cross Site Scripting in Splunk Web (SPL-142874)

    Description: Splunk Enterprise versions 6.6.x earlier than 6.6.3 and Splunk Light versions 6.6.x earlier than 6.6.3 are affected by a vulnerability that allows an authenticated attacker to inject and store arbitrary JavaScript.

    CVSS Severity (version 2.0):

    CVSS Base Score8.2
    CVSS Impact Subscore9.5
    CVSS Exploitability Subscore6.8
    Overall CVSS Score6.8

    Reflected Cross Site Scripting in Splunk Web (SPL-142877)

    Description: Splunk Enterprise versions 6.6.x earlier than 6.6.3 and Splunk Light versions 6.6.x earlier than 6.6.3 are affected by a vulnerability that could permit an unauthenticated attacker to execute JavaScript with the help of social engineering attack.

    CVSS Severity (version 2.0):

    CVSS Base Score8.2
    CVSS Impact Subscore9.5
    CVSS Exploitability Subscore6.8
    Overall CVSS Score6.8

    Document History

    • 2017-Aug-21: Rev 1. Initial Release

    Questions?

    Submit your question to Splunk Support.

     

    Description:

    Permalink:

    Browse all videos » « Close window and return to the page
    PRODUCTS
    • Splunk Cloud
    • Splunk Enterprise
    • Splunk Investigate
    • Splunk IT Service Intelligence
    • Splunk Insights for AWS Cloud Monitoring
    • Splunk App for Infrastructure
    • VictorOps
    • Splunk Enterprise Security
    • Splunk Phantom
    • Splunk User Behavior Analytics
    • Splunk for Industrial IoT
    • Splunk Business Flow
    FREE TRIALS AND DOWNLOADS
    PRICING
    CALCULATORS
    • Splunk Value Calculator
    • Critical IT Incident Calculator
    SOLUTIONS
    • IT
    • Security
    • IoT
    • Business Analytics
    INDUSTRIES
    • Aerospace and Defense
    • Communications
    • Energy and Utilities
    • Financial Services
    • Healthcare
    • Higher Education
    • Manufacturing
    • Nonprofits
    • Online Services
    • Public Sector
    • Retail
    CUSTOMERS
    RESOURCES
    • E-books
    • Recorded Webinars
    • Videos
    • White Papers
    • More...
    STRATEGY AND BUSINESS INSIGHTS
    • AI Ops
    • Machine Learning
    • Data Insider
    • Data-to-Everything
    • More...
    PARTNERS
    • Become a Partner
    • Partner Login
    • More...
    SUPPORT
    • Support Portal
    • Contact Support
    • Splunk Services
    • Support Programs
    TRAINING
    ABOUT SPLUNK
    • Careers
    • Events
    • Investor Relations
    • Leadership Team
    • Locations
    • Newsroom
    • Splunk for Good
    • Splunk Protects
    • Splunk Ventures
    • More...
    CONNECT WITH SPLUNK
    • Support
    • Partners
    • Sales
    SPLUNK SITES
    • Splunk Answers
    • Blogs
    • Community
    • .conf
    • Developers
    • Documentation
    • Splunkbase
    • SplunkLive!
    • T-shirt Store
    • User Groups
    Splunk
    Sitemap | Contact | Careers | Privacy | Terms of Use | Export Control | Modern Slavery Statement
    © 2005-2019 Splunk Inc. All rights reserved.
    Splunk, Splunk> and Turn Data Into Doing are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.