First published: Wed Jun 15 2022(Updated: )
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.
Credit: prodsec@splunk.com
Affected Software | Affected Version | How to fix |
---|---|---|
Splunk Splunk | <9.0 | |
Splunk Splunk Cloud Platform | <8.2.2106 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-32154 is a vulnerability in Splunk Enterprise versions before 9.0 that allows an attacker to inject risky search commands into a form token, bypassing SPL safeguards.
The severity of CVE-2022-32154 is high with a CVSS score of 8.1.
Splunk Enterprise versions before 9.0 are affected by CVE-2022-32154.
An attacker can exploit CVE-2022-32154 by injecting risky search commands into a form token used in a query in a cross-origin request.
To mitigate CVE-2022-32154, it is recommended to upgrade to Splunk Enterprise version 9.0 or later.