{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-037.pdf"
    },
    "title": "Path Traversal SPL Injection in Splunk Products",
    "serial_number": "2022-037",
    "publish_date": "20-05-2022 17:48:00",
    "description": "On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries.<br>A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as critical and named CVE-2022-26889.",
    "url_title": "2022-037",
    "content_markdown": "---\ntitle: 'Path Traversal SPL Injection in\u00a0Splunk\u00a0Products'\nversion: '1.0'\nnumber: '2022-037'\noriginal_date: 'May 3, 2022'\ndate: 'May 20, 2022'\n---\n\n_History:_\n\n* _20/05/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection [1]. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries [3].\n\nA vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as **critical** and named **CVE-2022-26889** [1].\n\n# Technical Details\n\nThis vulnerability affects processing of the component Search Parameter Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. The exploitation appears to be easy. The attack can be initiated remotely. No authentication is required for a successful exploitation. Neither more technical details, nor an exploit is yet publicly available [2]. \n\n# Affected products\n\nSplunk Enterprise versions before 8.1.2. The vulnerability does not impact Splunk Cloud Platform instances [4].\n\n# Recommendations\n\nCERT-EU strongly recommends to upgrade Splunk Enterprise to 8.1.2 or later. \n\n# Workarounds\n\nThe vulnerability impacts instances with Splunkweb enabled [1]. More information on disabling Splunkweb can be found in Securing Splunk Enterprise [5] and Splunk Enterprise administration manuals [6].\n\n# References\n\n[1] <https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html>\n\n[2] <https://vuldb.com/?id.199240>\n\n[3] <https://research.splunk.com/application/path_traversal_spl_injection/>\n\n[4] <https://nvd.nist.gov/vuln/detail/CVE-2022-26889>\n\n[5] <https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents?_gl=1*dumf7s*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&_ga=2.98395231.1522258336.1653060352-461957872.1653060351>\n\n[6] <https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf?_gl=1*oiaygj*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&_ga=2.24651898.1522258336.1653060352-461957872.1653060351>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>20/05/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection [1]. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries [3].</p><p>A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as <strong>critical</strong> and named <strong>CVE-2022-26889</strong> [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>This vulnerability affects processing of the component Search Parameter Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. The exploitation appears to be easy. The attack can be initiated remotely. No authentication is required for a successful exploitation. Neither more technical details, nor an exploit is yet publicly available [2]. </p><h2 id=\"affected-products\">Affected products</h2><p>Splunk Enterprise versions before 8.1.2. The vulnerability does not impact Splunk Cloud Platform instances [4].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends to upgrade Splunk Enterprise to 8.1.2 or later. </p><h2 id=\"workarounds\">Workarounds</h2><p>The vulnerability impacts instances with Splunkweb enabled [1]. More information on disabling Splunkweb can be found in Securing Splunk Enterprise [5] and Splunk Enterprise administration manuals [6].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html\">https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://vuldb.com/?id.199240\">https://vuldb.com/?id.199240</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://research.splunk.com/application/path_traversal_spl_injection/\">https://research.splunk.com/application/path_traversal_spl_injection/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2022-26889\">https://nvd.nist.gov/vuln/detail/CVE-2022-26889</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents?_gl=1*dumf7s*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&_ga=2.98395231.1522258336.1653060352-461957872.1653060351\">https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents?_gl=1*dumf7s*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&amp;_ga=2.98395231.1522258336.1653060352-461957872.1653060351</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf?_gl=1*oiaygj*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&_ga=2.24651898.1522258336.1653060352-461957872.1653060351\">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf?_gl=1*oiaygj*_ga*NDYxOTU3ODcyLjE2NTMwNjAzNTE.*_gid*MTUyMjI1ODMzNi4xNjUzMDYwMzUy&amp;_ga=2.24651898.1522258336.1653060352-461957872.1653060351</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}