cve-2022-32154
Vulnerability from cvelistv5
Published
2022-06-15 16:48
Modified
2024-09-16 20:11
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.
References
prodsec@splunk.comhttps://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commandsMitigation, Vendor Advisory
prodsec@splunk.comhttps://docs.splunk.com/Documentation/Splunk/9.0.0/Security/UpdatesRelease Notes, Vendor Advisory
prodsec@splunk.comhttps://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/Mitigation, Vendor Advisory
prodsec@splunk.comhttps://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/Mitigation, Vendor Advisory
prodsec@splunk.comhttps://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/Mitigation, Vendor Advisory
prodsec@splunk.comhttps://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commandsMitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/UpdatesRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.htmlVendor Advisory
Impacted products
Vendor Product Version
Splunk, Inc Splunk Enterprise Version: 9.0   < 9.0
 Create a notification for this product.
   Splunk, Inc Splunk Cloud Platform Version: 8.2   < 8.2.2106
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:32:55.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk, Inc",
          "versions": [
            {
              "lessThan": "9.0",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk, Inc",
          "versions": [
            {
              "lessThan": "8.2.2106",
              "status": "affected",
              "version": "8.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chris Green at Splunk"
        },
        {
          "lang": "en",
          "value": "Danylo Dmytriiev (DDV_UA)"
        },
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2022-06-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-15T16:48:46",
        "orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
        "shortName": "Splunk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/"
        }
      ],
      "source": {
        "advisory": "SVD-2022-0604",
        "discovery": "INTERNAL"
      },
      "title": "Risky commands warnings in Splunk Enterprise Dashboards",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "prodsec@splunk.com",
          "DATE_PUBLIC": "2022-06-14T11:55:00.000Z",
          "ID": "CVE-2022-32154",
          "STATE": "PUBLIC",
          "TITLE": "Risky commands warnings in Splunk Enterprise Dashboards"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Splunk Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "9.0",
                            "version_value": "9.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Splunk Cloud Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "8.2",
                            "version_value": "8.2.2106"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Splunk, Inc"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Chris Green at Splunk"
          },
          {
            "lang": "eng",
            "value": "Danylo Dmytriiev (DDV_UA)"
          },
          {
            "lang": "eng",
            "value": "Anton (therceman)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates",
              "refsource": "CONFIRM",
              "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates"
            },
            {
              "name": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html",
              "refsource": "CONFIRM",
              "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html"
            },
            {
              "name": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands",
              "refsource": "CONFIRM",
              "url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands"
            },
            {
              "name": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/",
              "refsource": "CONFIRM",
              "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/"
            },
            {
              "name": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/",
              "refsource": "CONFIRM",
              "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/"
            },
            {
              "name": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/",
              "refsource": "CONFIRM",
              "url": "https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/"
            }
          ]
        },
        "source": {
          "advisory": "SVD-2022-0604",
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
    "assignerShortName": "Splunk",
    "cveId": "CVE-2022-32154",
    "datePublished": "2022-06-15T16:48:46.918488Z",
    "dateReserved": "2022-05-31T00:00:00",
    "dateUpdated": "2024-09-16T20:11:36.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-32154\",\"sourceIdentifier\":\"prodsec@splunk.com\",\"published\":\"2022-06-15T17:15:09.017\",\"lastModified\":\"2024-11-21T07:05:51.100\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.\"},{\"lang\":\"es\",\"value\":\"Los cuadros de mando en Splunk Enterprise versiones anteriores a 9.0, podr\u00edan permitir a un atacante inyectar comandos de b\u00fasqueda arriesgados en un token de formulario cuando el token es usado en una consulta en una petici\u00f3n de origen cruzado. El resultado es una omisi\u00f3n de las salvaguardas de SPL para los comandos de riesgo. V\u00e9ase Las nuevas capacidades pueden limitar el acceso a algunos comandos personalizados y potencialmente arriesgados (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) para m\u00e1s informaci\u00f3n. Tenga en cuenta que el ataque est\u00e1 basado en el navegador y un atacante no puede explotarlo a voluntad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"prodsec@splunk.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"prodsec@splunk.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*\",\"versionEndExcluding\":\"9.0\",\"matchCriteriaId\":\"A6CE3B90-F8EF-4DC2-80FF-2B791F152037\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.2.2106\",\"matchCriteriaId\":\"87852670-65F6-4EE8-ABD5-BC25137868DD\"}]}]}],\"references\":[{\"url\":\"https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html\",\"source\":\"prodsec@splunk.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.