In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.
Metrics
CVSS Version: 3.1 |
Base Score: 4.8 MEDIUM Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-ID: CWE-200 CWE Name: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Source: Splunk
Common Attack Pattern Enumeration and Classification (CAPEC)