CVE-2017-5607

Published: Apr 10, 2017Modified: May 13, 2026

3.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.1 / Impact: 1.4

Source: NVD

Description

Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.

Affected (8)

Products: Splunk: Splunk

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Splunk Splunk	Up to 6.5.1

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Splunk Splunk	From 5.0.0 to 5.0.18
Splunk Splunk	From 6.0.0 to 6.0.14
Splunk Splunk	From 6.1.0 to 6.1.13
Splunk Splunk	From 6.2.0 to 6.2.13.1
Splunk Splunk	From 6.3.0 to 6.3.10
Splunk Splunk	From 6.4.0 to 6.4.6
Splunk Splunk	From 6.5.0 to 6.5.3

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (16)

http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt

Source: cve@mitre.org

ExploitThird Party Advisory

http://seclists.org/fulldisclosure/2017/Mar/89

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

http://www.securityfocus.com/archive/1/540346/100/0/threaded

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/97265

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/97286

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038170

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/41779/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607

Source: cve@mitre.org

Vendor Advisory

http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

http://seclists.org/fulldisclosure/2017/Mar/89

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

http://www.securityfocus.com/archive/1/540346/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/97265

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/97286

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038170

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/41779/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.