CVE-2022-26070

EUVD-2022-30638
When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SplunkCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
splunksplunk
𝑥
< 8.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0507.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0507.html