3.5

CVE-2022-37438

EPSS 0.35%
Veröffentlicht 16.08.2022 21:15:13
Zuletzt bearbeitet 21.11.2024 07:14:59
Quelle prodsec@splunk.com
Teams Watchlist Login
Unerledigt Login

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Splunk ≫ Splunk SwEditionenterprise Version >= 8.1.0 < 8.1.11

Splunk ≫ Splunk SwEditionenterprise Version >= 8.2.0 < 8.2.7.1

Splunk ≫ Splunk Version9.0.0 SwEditionenterprise

Splunk ≫ Splunk Cloud Platform Version <= 8.2.2203.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.569

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
prodsec@splunk.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://research.splunk.com/application/f844c3f6-fd99-43a2-ba24-93e35fe84be6

Vendor Advisory

https://www.splunk.com/en_us/product-security/announcements/svd-2022-0802.html

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-37438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-37438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-37438

EUVD