Vulnerability Details CVE-2017-5607
Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.09
EPSS Ranking 92.3%
CVSS Severity
CVSS v3 Score 3.5
CVSS v2 Score 3.5
References
- http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
- http://seclists.org/fulldisclosure/2017/Mar/89
- http://www.securityfocus.com/archive/1/540346/100/0/threaded
- http://www.securityfocus.com/bid/97265
- http://www.securityfocus.com/bid/97286
- http://www.securitytracker.com/id/1038170
- https://www.exploit-db.com/exploits/41779/
- https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
- http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
- http://seclists.org/fulldisclosure/2017/Mar/89
- http://www.securityfocus.com/archive/1/540346/100/0/threaded
- http://www.securityfocus.com/bid/97265
- http://www.securityfocus.com/bid/97286
- http://www.securitytracker.com/id/1038170
- https://www.exploit-db.com/exploits/41779/
- https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Products affected by CVE-2017-5607
-
cpe:2.3:a:splunk:splunk:5.0.0
-
cpe:2.3:a:splunk:splunk:5.0.1
-
cpe:2.3:a:splunk:splunk:5.0.10
-
cpe:2.3:a:splunk:splunk:5.0.11
-
cpe:2.3:a:splunk:splunk:5.0.12
-
cpe:2.3:a:splunk:splunk:5.0.13
-
cpe:2.3:a:splunk:splunk:5.0.14
-
cpe:2.3:a:splunk:splunk:5.0.15
-
cpe:2.3:a:splunk:splunk:5.0.16
-
cpe:2.3:a:splunk:splunk:5.0.17
-
cpe:2.3:a:splunk:splunk:5.0.2
-
cpe:2.3:a:splunk:splunk:5.0.3
-
cpe:2.3:a:splunk:splunk:5.0.4
-
cpe:2.3:a:splunk:splunk:5.0.5
-
cpe:2.3:a:splunk:splunk:5.0.6
-
cpe:2.3:a:splunk:splunk:5.0.7
-
cpe:2.3:a:splunk:splunk:5.0.8
-
cpe:2.3:a:splunk:splunk:5.0.9
-
cpe:2.3:a:splunk:splunk:6.0.0
-
cpe:2.3:a:splunk:splunk:6.0.1
-
cpe:2.3:a:splunk:splunk:6.0.10
-
cpe:2.3:a:splunk:splunk:6.0.11
-
cpe:2.3:a:splunk:splunk:6.0.12
-
cpe:2.3:a:splunk:splunk:6.0.13
-
cpe:2.3:a:splunk:splunk:6.0.2
-
cpe:2.3:a:splunk:splunk:6.0.3
-
cpe:2.3:a:splunk:splunk:6.0.4
-
cpe:2.3:a:splunk:splunk:6.0.5
-
cpe:2.3:a:splunk:splunk:6.0.6
-
cpe:2.3:a:splunk:splunk:6.0.7
-
cpe:2.3:a:splunk:splunk:6.0.8
-
cpe:2.3:a:splunk:splunk:6.0.9
-
cpe:2.3:a:splunk:splunk:6.1.0
-
cpe:2.3:a:splunk:splunk:6.1.1
-
cpe:2.3:a:splunk:splunk:6.1.10
-
cpe:2.3:a:splunk:splunk:6.1.11
-
cpe:2.3:a:splunk:splunk:6.1.12
-
cpe:2.3:a:splunk:splunk:6.1.2
-
cpe:2.3:a:splunk:splunk:6.1.3
-
cpe:2.3:a:splunk:splunk:6.1.4
-
cpe:2.3:a:splunk:splunk:6.1.5
-
cpe:2.3:a:splunk:splunk:6.1.6
-
cpe:2.3:a:splunk:splunk:6.1.7
-
cpe:2.3:a:splunk:splunk:6.1.8
-
cpe:2.3:a:splunk:splunk:6.1.9
-
cpe:2.3:a:splunk:splunk:6.2.0
-
cpe:2.3:a:splunk:splunk:6.2.1
-
cpe:2.3:a:splunk:splunk:6.2.10
-
cpe:2.3:a:splunk:splunk:6.2.11
-
cpe:2.3:a:splunk:splunk:6.2.12
-
cpe:2.3:a:splunk:splunk:6.2.13
-
cpe:2.3:a:splunk:splunk:6.2.2
-
cpe:2.3:a:splunk:splunk:6.2.3
-
cpe:2.3:a:splunk:splunk:6.2.4
-
cpe:2.3:a:splunk:splunk:6.2.5
-
cpe:2.3:a:splunk:splunk:6.2.6
-
cpe:2.3:a:splunk:splunk:6.2.7
-
cpe:2.3:a:splunk:splunk:6.2.8
-
cpe:2.3:a:splunk:splunk:6.2.9
-
cpe:2.3:a:splunk:splunk:6.3.0
-
cpe:2.3:a:splunk:splunk:6.3.1
-
cpe:2.3:a:splunk:splunk:6.3.2
-
cpe:2.3:a:splunk:splunk:6.3.3
-
cpe:2.3:a:splunk:splunk:6.3.4
-
cpe:2.3:a:splunk:splunk:6.3.5
-
cpe:2.3:a:splunk:splunk:6.3.6
-
cpe:2.3:a:splunk:splunk:6.3.7
-
cpe:2.3:a:splunk:splunk:6.3.8
-
cpe:2.3:a:splunk:splunk:6.3.9
-
cpe:2.3:a:splunk:splunk:6.4.0
-
cpe:2.3:a:splunk:splunk:6.4.1
-
cpe:2.3:a:splunk:splunk:6.4.2
-
cpe:2.3:a:splunk:splunk:6.4.3
-
cpe:2.3:a:splunk:splunk:6.4.4
-
cpe:2.3:a:splunk:splunk:6.4.5
-
cpe:2.3:a:splunk:splunk:6.5.0
-
cpe:2.3:a:splunk:splunk:6.5.1
-
cpe:2.3:a:splunk:splunk:6.5.2