CVE-2017-5607
low
CVSS v3
3.5
CVSS v2
3.5
VIR risk
3.5
Description
Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.
Predictions
Exploit likelihood
45%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| splunk | splunk | {"endIncluding":"6.5.1"} | |
References
- http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
- http://seclists.org/fulldisclosure/2017/Mar/89
- http://www.securityfocus.com/archive/1/540346/100/0/threaded
- http://www.securityfocus.com/bid/97265
- http://www.securityfocus.com/bid/97286
- http://www.securitytracker.com/id/1038170
- https://www.exploit-db.com/exploits/41779/
- https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
- http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
- http://seclists.org/fulldisclosure/2017/Mar/89
- http://www.securityfocus.com/archive/1/540346/100/0/threaded
- http://www.securityfocus.com/bid/97265
- http://www.securityfocus.com/bid/97286
- http://www.securitytracker.com/id/1038170
- https://www.exploit-db.com/exploits/41779/
- https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.