3.5

CVE-2022-37438

EPSS 0.35%
Published 16.08.2022 21:15:13
Last modified 21.11.2024 07:14:59
Source prodsec@splunk.com
Teams watchlist Login
Open Login

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Splunk ≫ Splunk SwEditionenterprise Version >= 8.1.0 < 8.1.11

Splunk ≫ Splunk SwEditionenterprise Version >= 8.2.0 < 8.2.7.1

Splunk ≫ Splunk Version9.0.0 SwEditionenterprise

Splunk ≫ Splunk Cloud Platform Version <= 8.2.2203.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.35%	0.569

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
prodsec@splunk.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://research.splunk.com/application/f844c3f6-fd99-43a2-ba24-93e35fe84be6

Vendor Advisory

https://www.splunk.com/en_us/product-security/announcements/svd-2022-0802.html

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-37438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-37438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-37438

EUVD