Splunk CVE-2022-32154: Risky commands warnings in Splunk Enterprise dashboards

Dashboards in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2106 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypassesSPL safeguards for risky commands(i.e., Search Injection). SeeNew capabilities can limit access to some custom and potentially risky commandsfor more information. The vulnerability is browser-based and is not exploitable at will. It requires the attacker to initiate a request within the victim’s browser (e.g., phishing) or compromise an authorized user’s account. The vulnerability affects instances with Splunk Web enabled. SeeDisable unnecessary Splunk Enterprise componentsand theweb.confconfiguration file for more information on disabling Splunk Web in forwarders. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.