CVE-2017-5607

Sažetak

Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.

Reference

http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
http://seclists.org/fulldisclosure/2017/Mar/89
http://www.securityfocus.com/archive/1/540346/100/0/threaded
http://www.securityfocus.com/bid/97265
http://www.securityfocus.com/bid/97286
http://www.securitytracker.com/id/1038170
https://www.exploit-db.com/exploits/41779/
https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

20-03-2019 - 19:23

Objavljeno

10-04-2017 - 15:59