CVE-2021-33845

medium

Description

The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.

References

https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html

https://research.splunk.com/application/splunk_user_enumeration_attempt/

Details

Source: Mitre, NVD

Published: 2022-05-06

Updated: 2022-05-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N