CVE-2017-5607

Опубликовано: 10 апр. 2017

Источник: nvd

CVSS3: 3.5

CVSS2: 3.5

EPSS Низкий

Описание

Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.

Ссылки

http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
Exploit
Third Party Advisory
http://seclists.org/fulldisclosure/2017/Mar/89
Exploit
Mailing List
Third Party Advisory
http://www.securityfocus.com/archive/1/540346/100/0/threaded
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/97265
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/97286
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038170
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41779/
Exploit
Third Party Advisory
VDB Entry
https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Vendor Advisory
http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
Exploit
Third Party Advisory
http://seclists.org/fulldisclosure/2017/Mar/89
Exploit
Mailing List
Third Party Advisory
http://www.securityfocus.com/archive/1/540346/100/0/threaded
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/97265
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/97286
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038170
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41779/
Exploit
Third Party Advisory
VDB Entry
https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:splunk:splunk:*:*:*:*:light:*:*:*

Версия до 6.5.1 (включая)

Конфигурация 2

Одно из