CVE-2022-32154

Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.

Published: Jun 15, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-32154
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:H/Au:N/C:P/I:P/A:N

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
splunk / splunk	-	9.0
splunk / splunk_cloud_platform	-	8.2.2106

https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates
https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/
https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/
https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html

Vulnerability Database

289,697

CVE-2022-32154