CVE-2022-32154: Risky commands warnings in Splunk Enterprise Dashboards
First published: Wed Jun 15 2022(Updated: )
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.
Credit: prodsec@splunk.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Splunk Splunk | <9.0 | |
| Splunk Splunk Cloud Platform | <8.2.2106 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands
- https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates
- https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage/
- https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands/
- https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk/
- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html
Frequently Asked Questions
What is CVE-2022-32154?
CVE-2022-32154 is a vulnerability in Splunk Enterprise versions before 9.0 that allows an attacker to inject risky search commands into a form token, bypassing SPL safeguards.
What is the severity of CVE-2022-32154?
The severity of CVE-2022-32154 is high with a CVSS score of 8.1.
Which versions of Splunk Enterprise are affected by CVE-2022-32154?
Splunk Enterprise versions before 9.0 are affected by CVE-2022-32154.
How can an attacker exploit CVE-2022-32154?
An attacker can exploit CVE-2022-32154 by injecting risky search commands into a form token used in a query in a cross-origin request.
How can I mitigate CVE-2022-32154?
To mitigate CVE-2022-32154, it is recommended to upgrade to Splunk Enterprise version 9.0 or later.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/title
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/splunk
- canonical/splunk splunk
- canonical/splunk splunk cloud platform