Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.

According to its self-reported version number, the version of Splunk running on the remote web server is Splunk Light 6.5.x prior to 6.5.3 or Splunk Enterprise 5.0.x prior to 5.0.18, 6.0.x prior to 6.0.14, 6.1.x prior to 6.1.13, 6.2.x prior to 6.2.13.1, 6.3.x prior to 6.3.10, 6.4.x prior to 6.4.6, or 6.5.x prior to 6.5.3. It is, therefore, affected by multiple vulnerabilities :

 -  An information disclosure vulnerability exists due to     various system information being assigned to the global     window property '$C' when a request is made to     '/en-US/config?autoload=1'. An unauthenticated, remote     attacker attacker can exploit this, by convincing user     to visit a specially crafted web page, to disclose     sensitive information. (CVE-2017-5607)

  - A stored cross-site scripting (XSS) vulnerability exists     in the web interface due to improper validation of     unspecified input before returning to users. An     authenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session.

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input.
    An unauthenticated, remote attacker can exploit these     vulnerabilities, via a specially crafted request, to     execute arbitrary script code in a user's browser     session. Note that these vulnerabilities only affect     Splunk Enterprise 6.4.x prior to 6.4.7 and Splunk Light     6.5.x prior to 6.5.3.
    
  - An error message spoofing vulnerability exists that     allows an unauthenticated, remote attacker to spoof the     contents of error messages by convincing a user to visit     a specially crafted website.

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.13, 6.3.x prior to 6.3.9, 6.4.x prior to 6.4.5, or 6.5.x prior to 6.5.2;
or else it is Splunk Light prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities :

  - A security bypass vulnerability exists in the libarchive     component due to a failure to properly check hardlinks     that contain payload data. An unauthenticated, remote     attacker can exploit this to bypass sandbox     restrictions. (CVE-2016-5418)

  - An out-of-bounds write error exists in the libarchive     component in the get_line_size() function in     archive_read_support_format_mtree.c that is triggered     when parsing lines. An unauthenticated, remote attacker     can exploit this to crash the library or disclose     memory contents. (CVE-2016-8688)

 -  An information disclosure vulnerability exists in Splunk     Light due to various system information being assigned     to the global window property '$C' when a request is     made to '/en-US/config?autoload=1'. An unauthenticated,     remote attacker attacker can exploit this, via a     specially crafted web page, to disclose sensitive     information. (CVE-2017-5607)

  - A denial of service vulnerability exists in the Splunk     Web component due to improper validation of     user-supplied input. An authenticated, remote attacker     can exploit this, via a specially crafted GET request,     to crash the daemon. (CVE-2017-5880)

  - A flaw exists in the libarchive component in the     check_symlinks() function in archive_write_disk_posix.c     that is triggered during the handling of subdirectories.
    An unauthenticated, remote attacker can exploit this to     overwrite arbitrary files.

  - A flaw exists in the libarchive component in the     edit_deep_directories() function due to symlink checks     and deep-directory support failing to properly handle     overly long pathnames. An unauthenticated, remote     attacker can exploit this to overwrite arbitrary files.

  - A flaw exists in the libarchive component in the     check_symlinks() function that is due to an overly     aggressive cached path handling mechanism. An     unauthenticated, remote attacker can exploit this to     make changes to the permissions of arbitrary     directories.

  - An out-of-bounds write error exists in the libarchive     component in the bsdtar_expand_char() function in util.c     due to improper handling of crafted archives. An     unauthenticated, remote attacker can exploit this, by     convincing a user to open or load a specially crafted     archive, to execute arbitrary code.

  - A stored cross-site scripting (XSS) vulnerability exists     due to improper validation of input before returning it     to users. An authenticated, remote attacker who has     administrative access can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session.

  - A stored cross-site scripting (XSS) vulnerability exists     in Splunk Light within the web interface due to improper     validation of unspecified input before returning to     users. An authenticated, remote attacker can exploit     this, via a specially crafted request, to execute     arbitrary script code in a user's browser session.

Note that the vulnerabilities in the libarchive component do not affect Splunk Enterprise 6.5.1 or Splunk Light 6.5.1.

ID	Name	Product	Family	Severity
99235	Splunk Enterprise < 5.0.18 / 6.0.14 / 6.1.13 / 6.2.13.1 / 6.3.10 / 6.4.6 / 6.5.3 / Splunk Light < 6.5.3 Multiple Vulnerabilities	Nessus	CGI abuses	low
97100	Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or Splunk Light < 6.5.2 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2017-5607

low

Tenable Plugins

low

high