--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Path Traversal SPL Injection in Splunk Products' version: '1.0' number: '2022-037' original_date: 'May 3, 2022' date: 'May 20, 2022' --- _History:_ * _20/05/2022 --- v1.0 -- Initial publication_ # Summary On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection [1]. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries [3]. A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as **critical** and named **CVE-2022-26889** [1]. # Technical Details This vulnerability affects processing of the component Search Parameter Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. The exploitation appears to be easy. The attack can be initiated remotely. No authentication is required for a successful exploitation. Neither more technical details, nor an exploit is yet publicly available [2]. # Affected products Splunk Enterprise versions before 8.1.2. The vulnerability does not impact Splunk Cloud Platform instances [4]. # Recommendations CERT-EU strongly recommends to upgrade Splunk Enterprise to 8.1.2 or later. # Workarounds The vulnerability impacts instances with Splunkweb enabled [1]. More information on disabling Splunkweb can be found in Securing Splunk Enterprise [5] and Splunk Enterprise administration manuals [6]. # References [1] [2] [3] [4] [5] [6]