Splunk Enterprise vulnerabilities

CVE-2022-43572 [MEDIUM] CWE-400 CVE-2022-43572: In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the S In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.

CVE-2022-43564 [MEDIUM] CWE-400 CVE-2022-43564: In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search ma In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.

CVE-2022-43562 [MEDIUM] CWE-20 CVE-2022-43562: In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly va In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.

CVE-2022-43571 [HIGH] CWE-94 CVE-2022-43571: In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbi In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

CVE-2022-43561 [MEDIUM] CWE-79 CVE-2022-43561: In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” S In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled.

CVE-2022-37437 [CRITICAL] CWE-295 CVE-2022-37437: When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service ( When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. The vulnerability only affects connections between Splunk Enterprise and an Ingest Actions Destination through Splunk Web and only applies to en

CVE-2022-37439 [MEDIUM] CWE-409 CVE-2022-37439: In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially c In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file.

CVE-2022-37438 [LOW] CWE-200 CVE-2022-37438: In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard th In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

CVE-2022-32152 [HIGH] CWE-295 CVE-2022-32152: Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could

CVE-2022-32156 [HIGH] CWE-295 CVE-2022-32156: In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI https://docs.splunk.com/Documentation/Splunk/9.0.0/Security

CVE-2021-31559 [HIGH] CWE-288 CVE-2021-31559: A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splu A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1. The vulnerability impacts Indexers configured to use TCPTokens. It does not impact Universal Forwarders.

CVE-2021-26253 [HIGH] CWE-287 CVE-2021-26253: A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the MFA verification in Splunk Enterprise versions before 8.1.6. The potential vulnerability impacts Splunk Enterprise instances configured to use DUO MFA and does not impact or affect a DUO product or service.

CVE-2021-42743 [HIGH] CWE-427 CVE-2021-42743: A misconfiguration in the node default path allows for local privilege escalation from a lower privi A misconfiguration in the node default path allows for local privilege escalation from a lower privileged user to the Splunk user in Splunk Enterprise versions before 8.1.1 on Windows.

CVE-2022-26889 [HIGH] CWE-20 CVE-2022-26889: In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web pa In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal. It allows an attacker to potentially inject arbitrary content into the web page (e.g., HTML Injection, XSS) or bypass SPL safeguards for risky commands. The attack is browser-based. An attacker cannot exploit the attac

CVE-2022-27183 [MEDIUM] CWE-79 CVE-2022-27183: The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query para The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is

CVE-2022-26070 [MEDIUM] CWE-200 CVE-2022-26070: When handling a mismatched pre-authentication cookie, the application leaks the internal error messa When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.

CVE-2021-33845 [MEDIUM] CWE-203 CVE-2021-33845: The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The po The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.

CVE-2021-3422 [HIGH] CWE-125 CVE-2021-3422: The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of- The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. W

CVE-2019-8331 [MEDIUM] CWE-79 CVE-2019-8331: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-tem In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.