This page lists announcements of Splunk Security Advisories. Security Advisories are collections of disclosures and security fixes for supported versions of Splunk products. See the Splunk Support Policy and Product Security at Splunk for more information.
Splunk encourages customers to subscribe to the Mailing List and add its Really Simple Syndication (RSS) feed to their RSS reader to receive a notification when Splunk publishes the advisories. Customers who require additional information that a Security Advisory does not address can visit the Support Portal and submit a New Case.
SVD | Date | Last Modified | Title | Severity | CVE | CVSS Vector | CVSS Score | CWE | Bug | Affected Products | Fixed Versions | Affected Versions | All Affected Versions | Affected Components | Description | Solution | Mitigations | Severity Summary | OSS | Credit |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SVD-2024-1015 | 2024-10-30 | 2024-10-30 | Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 | High | Splunk Add-on for Cisco Meraki 2.2 | 2.2.0 | Below 2.2.0 | 2.2.0 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Cisco Meraki version 2.2.0 and higher, including the following: | Upgrade Splunk Add-on for Cisco Meraki versions 2.2.0 or higher. | None | For the CVEs in this list, Splunk adopted one of the following ratings:<br>- Where applicable, the severity rating that the vendor published, or<br>- The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2024-3651 - idna - Upgraded to 3.8 - High - CVE-2024-37891 - urllib3 - Upgraded to 1.26.20 - Medium - CVE-2024-34062 - tqdm - Removed - Medium - CVE-2024-39689 - certifi - Upgraded to 2024.8.30 - High - | ||||||
SVD-2024-1014 | 2024-10-30 | 2024-10-30 | Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 | High | Splunk Add-on for Google Cloud Platform 4.7 | 4.7.0 | Below 4.7.0 | 4.7.0 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Google Cloud Platform versions 4.7.0 and higher, including the following: | Upgrade the Splunk Add-on for Google Cloud Platform to version 4.7.0 or higher. | None | For the CVEs in this list, Splunk adopted one of the following ratings:<br>- Where applicable, the severity rating that the vendor published, or<br>- The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High - | ||||||
SVD-2024-1013 | 2024-10-17 | 2024-10-17 | Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 | High | Splunk Add-on for Office 365 4.5.2 | 4.5.2 | Below 4.5.2 | 4.5.2 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher, including the following: | Upgrade Splunk Add-on for Office 365 versions 4.5.2 or higher. | None | For the CVEs in this list, Splunk adopted one of the following ratings:<br> - Where applicable, the severity rating that the vendor published, or<br> - The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2024-3651 - idna - Upgraded to 3.7 - High - CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High - CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium - | ||||||
SVD-2024-1012 | 2024-10-14 | 2024-10-14 | Third-Party Package Updates in Splunk Enterprise - October 2024 | High | - | - | - | - | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.1 9.2.3 9.1.6 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.1 9.2.3 9.1.6 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.3.1, 9.2.3, 9.1.6, and higher, including the following: | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher. | None | For the CVEs in this list, Splunk adopted one of the following ratings:<br> - Where applicable, the severity rating that the vendor published, or<br> - The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2023-45803 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2023-43804 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2024-35195 - requests - Upgraded to 1.32.3 - Medium - Upgrade requests in $SPLUNK_HOME/lib/python3.9/site-packages/ in 9.3.1 CVE-2024-35195 - requests - Applied patch to 2.31.0 - Medium - Applied the patch for CVE-2024-35195 to requests 2.31.0 in $SPLUNK_HOME/lib/python3.7/site-packages/ CVE-2022-42969 - py - Removed - Medium - Splunk removed pypi:py from the splunk-rolling-upgrade app in 9.3.0, 9.2.3, and 9.1.6 Multiple - OpenLDAP - Upgraded to 2.4.59 - Multiple - Upgraded OpenLDAP in splunkd to remedy CVE-2020-12243, CVE-2020-15719, CVE-2020-25692, CVE-2020-36222, CVE-2020-36223, CVE-2020-36221, CVE-2020-36224, CVE-2020-36225, CVE-2020-36229, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36230, CVE-2021-27212, CVE-2017-14159, CVE-2017-17740, CVE-2019-13057, and CVE-2019-13565. CVE-2022-29155 - OpenLDAP - Applied patch to 2.4.59 - Informational - CVE-2023-2953 - OpenLDAP - Applied patch to 2.4.59 - High - CVE-2015-3276 - OpenLDAP - Applied patch to 2.4.59 - High - CVE-2024-28180 - go-jose.v2 - Upgrade to 2.6.3 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe Multiple - golang.org/x/net - Upgraded to 0.23.0 - Multiple - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe to remedy CVE-2023-45288, CVE-2023-44487, and CVE-2023-39325 CVE-2024-24786 - google.golang.org/protobuf - Upgraded to 1.34.1 - Informational - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe CVE-2023-44487 - google.golang.org/grpc - Upgrade to 1.62.1 - High - Upgraded in $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe CVE-2023-48795 - golang.org/x/crypto - Upgrade to 0.23.0 - Medium - Upgraded in $SPLUNK_HOME/bin/mongodump and $SPLUNK_HOME/bin/mongorestore CVE-2023-48795 - golang.org/x/crypto - Upgrade to 0.21.0 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions. CVE-2023-47108 - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc - 0.49.0 - High - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions. CVE-2023-45142 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - 0.49.0 - High - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions. CVE-2024-24557 - github.com/docker/docker - Upgraded to 26.0.0 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions. Multiple - golang - Upgraded golang in assistsup to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe from 1.22.1 to 1.22.4 to remedy CVE-2024-24790 and CVE-2023-45288. Multiple - golang - Upgraded golang in compsup to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/bin/compsup from 1.22.1 to 1.22.4 to remedy CVE-2024-24790 and CVE-2023-45288 Multiple - golang - Upgraded golang mongodump and mongorestore to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/bin/mongodump and $SPLUNK_HOME/bin/mongorestore from 1.20.10 to 1.22.4 to remedy CVE-2023-45288, CVE-2023-39318, CVE-2023-45285, CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-39319, and CVE-2024-24790 Multiple - golang - Removed spl2-orchestrator binary - Multiple - Splunk Enterprise 9.2.3 removed the $SPLUNK_HOME/bin/spl2-orchestrator binary to remedy CVE-2023-26125, CVE-2023-29401, CVE-2023-39325, CVE-2023-3978, CVE-2023-44487, CVE-2023-45288, CVE-2023-44487, CVE-2023-48795, CVE-2023-50658, CVE-2024-24786, CVE-2024-28180, CVE-2024-24790, CVE-2023-45288, CVE-2023-45285, CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-39323, CVE-2023-39322, CVE-2023-39321, CVE-2023-39320, CVE-2023-39319, and CVE-2023-39318. The spl2-orchestrator binary was present in versions 9.2.0 through 9.2.2. | ||
SVD-2024-1011 | 2024-10-14 | 2024-10-14 | Persistent Cross-Site Scripting (XSS) via props.conf on Splunk Enterprise | Medium | CVE-2024-45741 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | VULN-17034 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Cloud Platform 9.2.2403 Splunk Cloud Platform 9.1.2312 | 9.3.0 9.2.3 9.1.6 9.2.2403.108 9.1.2312.205 | Not affected 9.2.0 to 9.2.2 9.1.0 to 9.1.5 9.2.2403.100 to 9.2.2403.107 Below 9.1.2312.205 | 9.3.0 9.2.3 9.1.6 9.2.2403.108 9.1.2312.205 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the "api.uri" parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user. | Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-1010 | 2024-10-14 | 2024-10-14 | Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk Enterprise | Medium | CVE-2024-45740 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | VULN-16899 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Cloud Platform 9.2.2403 | 9.3.0 9.2.3 9.1.6 9.2.2403.100 | Not affected 9.2.0 to 9.2.2 9.1.0 to 9.1.5 Below 9.2.2403 | 9.3.0 9.2.3 9.1.6 9.2.2403.100 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user. | Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-1009 | 2024-10-14 | 2024-10-14 | Sensitive information disclosure in AdminManager logging channel | Medium | CVE-2024-45739 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 4.9 | CWE-200 | VULN-15407 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.1 9.2.3 9.1.6 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.1 9.2.3 9.1.6 | splunkd splunkd splunkd | In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes plaintext passwords for local native authentication Splunk users. This exposure could happen when you configure the Splunk Enterprise `AdminManager` log channel at the DEBUG logging level.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | There are multiple solutions depending on how you have configured the Splunk Enterprise instance `AdminManager` log channel.<br><br>First, determine whether or not debug logging is on for the `AdminManager` log channel. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions. To determine the logging level for this log channel on the instance:<br> 1. In a web browser, visit the Server Logging Settings page in Splunk Web at `/en-US/manager/system/server/logger`.<br> 2. Review the Logging Level column on the page that loads. If the `AdminManager` row in this column shows DEBUG as the logging level, then the Splunk Enterprise `AdminManager` log channel is in debug mode. Otherwise, it is not in debug mode.<br>See [Enable debug logging](https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging) for more information.<br><br>If the previous steps determine that debug logging is enabled in that log channel, then remedy the problem by performing the following tasks:<br> 1. Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br> 2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br> 3. Delete all the Splunk Enterprise log file events for the `AdminManager` component from the `_internal` index by running the following search command:<br> `index=_internal component=AdminManager | delete` | If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:<br> 1. Configure the `AdminManager` log channel to a logging level that is less verbose than DEBUG.<br> 2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br> 3. Delete all the Splunk Enterprise log file events for `AdminManager` component from the `_internal` index by running the following search command:<br> `index=_internal component=AdminManager | delete` | Splunk rates this vulnerability as a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. | Eric McGinnis, Splunk Rod Soto, Splunk | |
SVD-2024-1008 | 2024-10-14 | 2024-10-14 | Sensitive information disclosure in REST_Calls logging channel | Medium | CVE-2024-45738 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 4.9 | CWE-200 | VULN-15407 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.1 9.2.3 9.1.6 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.1 9.2.3 9.1.6 | splunkd splunkd splunkd | In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the `_internal` index. This exposure could happen if you configure the Splunk Enterprise `REST_Calls` log channel at the DEBUG logging level.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | There are multiple solutions depending on how you have configured the Splunk Enterprise instance `REST_Calls` log channel.<br><br>First, determine whether or not debug logging is on for the `REST_Calls` log channel. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.To determine the log channel logging mode on the instance:<br> 1. In a web browser, visit the Server Logging Settings page in Splunk Web at `/en-US/manager/system/server/logger`.<br> 2. Review the Logging Level column on the page that loads. If the `REST_Calls` row in this column shows DEBUG as the logging level, then the Splunk Enterprise REST_Call log channel is in debug mode. Otherwise, it is not in debug mode.<br>See [Enable debug logging](https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging) for more information.<br><br>If the previous steps determine that debug logging is enabled in that log channel, then remedy the problem by performing the following tasks:<br> 1. Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br> 2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br> 3. Delete all the Splunk Enterprise log file events for the `REST_Calls` component from the `_internal` index by running the following search command:<br> `index=_internal component=REST_Calls | delete` | If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:<br> 1. Configure the `REST_Calls` log channel to a logging level that is less verbose than DEBUG.<br> 2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br> 3. Delete all of the Splunk Enterprise log file events for the `REST_Calls` component from the `_internal` index by running the following search command:<br> `index=_internal component=REST_Calls | delete` | Splunk rates this vulnerability as a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. | Eric McGinnis, Splunk Rod Soto, Splunk | |
SVD-2024-1007 | 2024-10-14 | 2024-10-14 | Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF) | Medium | CVE-2024-45737 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 | CWE-352 | VULN-15375 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Cloud Platform 9.2.2403 Splunk Cloud Platform 9.1.2312 | 9.3.1 9.2.3 9.1.6 9.2.2403.108 9.1.2312.204 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 9.2.2403.102 to 9.2.2403.107 Below 9.1.2312.204 | 9.3.1 9.2.3 9.1.6 9.2.2403.108 9.1.2312.204 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF). | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. <br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-1006 | 2024-10-14 | 2024-10-14 | Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon | Medium | CVE-2024-45736 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-400 | VULN-16989 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Cloud Platform 9.2.2403 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2312 | 9.3.1 9.2.3 9.1.6 9.2.2403.107 9.1.2312.204 9.1.2312.111 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 9.2.2403.100 to 9.2.2403.106 9.1.2312.200 to 9.1.2312.203 Below 9.1.2312.111 | 9.3.1 9.2.3 9.1.6 9.2.2403.107 9.1.2312.204 9.1.2312.111 | splunkd splunkd splunkd splunkd splunkd splunkd | In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a search query with an improperly-formatted "INGEST_EVAL" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd). | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | None | Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-1005 | 2024-10-14 | 2024-10-14 | Improper Access Control for low-privileged user in Splunk Secure Gateway App | Medium | CVE-2024-45735 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-284 | VULN-12960 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Secure Gateway 3.7 Splunk Secure Gateway 3.6 Splunk Secure Gateway 3.4 | 9.3.0 9.2.3 9.1.6 3.7.0 3.6.17 3.4.259 | Not affected 9.2.0 to 9.2.2 9.1.0 to 9.1.5 Not affected 3.6.0 to 3.6.16 Below 3.4.259 | 9.3.0 9.2.3 9.1.6 3.7.0 3.6.17 3.4.259 | Splunk Secure Gateway Splunk Secure Gateway Splunk Secure Gateway | In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the "admin" or "power" Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App. | Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6 or higher.<br><br>Splunk is actively monitoring Splunk Cloud Platform instances and upgrading Splunk Secure Gateway. | Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app. See [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects). | Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. | Gabriel Nitu, Splunk | |
SVD-2024-1004 | 2024-10-14 | 2024-10-14 | Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic Dashboard | Medium | CVE-2024-45734 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-284 | VULN-16371 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.0 9.2.3 9.1.6 | Not affected 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.0 9.2.3 9.1.6 | pdfgen pdfgen pdfgen | In Splunk Enterprise versions below 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local image path in the img tag in the source extensible markup language (XML) code for the Splunk classic dashboard. | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6 or higher. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the[ web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. <br>If the machine where Splunk Enterprise is installed does not contain directories with images in them, then there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, then there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-1003 | 2024-10-14 | 2024-10-14 | Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows | High | CVE-2024-45733 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-502 | VULN-16990 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.0 9.2.3 9.1.6 | Not affected 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.0 9.2.3 9.1.6 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to insecure session storage configuration. | Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, and 9.1.6, or higher. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. <br><br>If the Splunk Enterprise instance does not run on Windows, there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be Informational. | Alex Hordijk | |
SVD-2024-1002 | 2024-10-14 | 2024-10-14 | Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app | High | CVE-2024-45732 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N | 7.1 | CWE-862 | VULN-14891 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Cloud Platform 9.2.2403 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.3.1 9.2.3 9.2.2403.103 9.1.2312.110, 9.1.2312.200 9.1.2308.208 | 9.3.0 9.2.0 to 9.2.2 9.2.2403.102 to 9.2.2403.102 9.1.2312.100 to 9.1.2312.109 Below 9.1.2308.207 | 9.3.1 9.2.3 9.2.2403.103 9.1.2312.110, 9.1.2312.200 9.1.2308.208 | SplunkDeploymentServerConfig SplunkDeploymentServerConfig SplunkDeploymentServerConfig SplunkDeploymentServerConfig SplunkDeploymentServerConfig | In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data. | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3 or higher. Splunk Enterprise 9.1 versions and below are not affected.<br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | You can modify the local.meta file in the `$SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/metadata `directory to restrict write access to knowledge objects within Splunk apps.<br>Use the following metadata settings in each file to restrict access:<br> `[]`<br> `access = read : [ * ], write : [ admin ]`<br><br>To apply the same restrictions to other apps by default, you may add the same configuration to the local.meta file in the `$SPLUNK_HOME/etc/apps/<app name>/metadata` directory. <br><br>The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. <br><br>If the local.meta file in the app directory has the proper metadata settings, there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-1001 | 2024-10-14 | 2024-10-14 | Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate disk | High | CVE-2024-45731 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 8.0 | CWE-23 | VULN-16991 | Splunk Enterprise 9.3 Splunk Enterprise 9.2 Splunk Enterprise 9.1 | 9.3.1 9.2.3 9.1.6 | 9.3.0 9.2.0 to 9.2.2 9.1.0 to 9.1.5 | 9.3.1 9.2.3 9.1.6 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could write a file to the Windows system root directory, which has a default location in the Windows System32 folder, when Splunk Enterprise for Windows is installed on a separate drive. The user could potentially write a malicious DLL which, if loaded, could result in a remote execution of the code within that DLL. | Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, and 9.1.6, or higher. | See [Installation on Windows](https://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonWindows) for more information on how to install Splunk Enterprise. | Splunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. <br><br>If the Splunk Enterprise instance is not installed on a separate disk, there is no impact and the severity would be informational. | Alex Hordijk (hordalex) | |
SVD-2024-0901 | 2024-09-30 | 2024-09-30 | Third-Party Package Updates in Splunk Add-on for Amazon Web Services - September 2024 | High | NA | 0.0 | NA | NA | Splunk Add-on for Amazon Web Services 7.7 | 7.7.0 | Below 7.7.0 | 7.7.0 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Amazon Web Services versions 7.7.0 and higher, including the following: | Upgrade Splunk Add-on for Amazon Web Services to versions 7.7.0 or higher. | None | For the CVEs in this list, Splunk adopted one of the following ratings:<br> - Where applicable, the severity rating that the vendor published, or<br> - The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2024-3651 - idna - Upgraded to 3.7 - High - CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2023-39326 - golang - Upgraded golang to 1.22.5 - Medium - Upgraded parquet_decoder_darwin_amd64, parquet_decoder_linux_amd64, and parquet_decoder_windows_amd64.exe in Splunk_TA_aws/bin/aws_parquet/ from 1.19.8 to 1.22.5. CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High - | ||
SVD-2024-0801 | 2024-08-12 | 2024-08-12 | Third-Party Package Updates in Python for Scientific Computing - August 2024 | Critical | VULN-16988 | Python for Scientific Computing (for Linux 64-bit) 4.2 Python for Scientific Computing (for Mac Apple Silicon) 4.2 Python for Scientific Computing (for Mac Intel) 4.2 Python for Scientific Computing (for Windows 64-bit) 4.2 | 4.2.1 4.2.1 4.2.1 4.2.1 | 4.2.0 4.2.0 4.2.0 4.2.0 | 4.2.1 4.2.1 4.2.1 4.2.1 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1 including the following: | Upgrade Python for Scientific Computing (PSC) to version 4.2.1 or higher. <br><br>For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.1 requires updating MLTK to 5.4.2 or higher. Upgrading MLTK to 5.4.2 may require retraining models. See [Upgrade the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade) for help upgrading and [Install the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure) for more information on the version compatibility.<br><br>For Splunk IT Service Intelligence (ITSI), upgrading PSC to 4.2.1 may cause errors with ITSI Predictive Analytics. After upgrading, ITSI Predictive Analytics models may require retraining. See [Retrain a predictive model in ITSI](https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel) for more information. | None | For the CVEs in this list, Splunk adopted the vendor's severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. | CVE-2024-3651 - idna - Upgraded to 3.7 - Medium - CVE-2020-28473 - bottle - Upgraded to 0.12.23 - Medium - CVE-2022-31799 - bottle - Upgraded to 0.12.23 - Critical - CVE-2022-40899 - future - Upgraded to 0.18.3 - High - CVE-2023-25399 - scipy - Upgraded to 1.10.0 - Medium - CVE-2024-3772 - pydantic - Upgraded to 1.10.13 - Medium - CVE-2022-25882 - onnx - Upgraded to 1.16.0 - High - CVE-2024-27318 - onnx - Upgraded to 1.16.0 - High - CVE-2024-27319 - onnx - Upgraded to 1.16.0 - Medium - CVE-2021-34141 - numpy - Upgraded to 1.23.0 - Medium - CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2023-45803 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2023-43804 - urllib3 - Upgraded to 1.26.19 - Medium - CVE-2022-45907 - torch - Upgraded to 2.2.2 - Critical - CVE-2024-31583 - torch - Upgraded to 2.2.2 - High - CVE-2024-31580 - torch - Upgraded to 2.2.2 - High - CVE-2024-35195 - requests - Upgraded to 2.32.3 - Medium - CVE-2023-37920 - certifi - Upgraded to 2024.7.4 - Medium - CVE-2023-5678 - openssl - Upgraded to 3.3.1 - Medium - CVE-2023-7018 - transformers - Upgraded to 4.38.1 - High - CVE-2023-6730 - transformers - Upgraded to 4.38.1 - High - CVE-2024-3568 - transformers - Upgraded to 4.38.1 - Low - CVE-2023-2800 - transformers - Upgraded to 4.38.1 - Medium - CVE-2024-34062 - tqdm - Upgraded to 4.66.4 - Medium - CVE-2024-6345 - setuptools - Upgraded to 70.0.0 - High - Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2024-6345 CVE-2022-40897 - setuptools - Upgraded to 70.0.0 - Medium - Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2022-40897 CVE-2024-5206 - scikit-learn - Upgraded to 1.5.1 - Medium - CVE-2020-28975 - scikit-learn - Upgraded to 1.5.1 - High - | |||||
SVD-2024-0718 | 2024-07-01 | 2024-10-03 | Third-Party Package Updates in Splunk Enterprise - July 2024 | High | - | - | - | - | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.2 9.1.5 9.0.10 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 | 9.2.2 9.1.5 9.0.10 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, 9.0.10 and higher, including the following: | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. | Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, and Hunk (Legacy) use the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava). If your Splunk Enterprise instance does not use those features or functionality, it is not impacted. As a potential mitigation, you may remove the packages. Note that the splunk_archiver app may replicate the vulnerable jar files and you may need to remove the replicate files from $SPLUNK_HOME/etc/apps/splunk_archiver as well.<br><br>The Splunk Secure Gateway app remedied vulnerabilities in certifi, requests, idna, and aiohttp. Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app. | For the CVEs in this list, Splunk adopted the vendor's severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.<br><br>For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.<br><br>If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.<br><br>If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.<br><br>For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package. | CVE-2023-35116 - jackson-databind - Upgraded to 1.16.1 - Medium - CVE-2021-29425 - commons-io - Upgraded to 2.15.1 - Medium - CVE-2023-43642 - snappy-java - Upgraded to 1.1.10.5 - High - CVE-2023-34453 - snappy-java - Upgraded to 1.1.10.5 - Medium - CVE-2023-34454 - snappy-java - Upgraded to 1.1.10.5 - Medium - CVE-2023-34455 - snappy-java - Upgraded to 1.1.10.5 - High - CVE-2023-39410 - avro-sdk - Upgraded to 1.11.3 - High - CVE-2022-36364 - avatica-core - Removed - High - Removed avatica-core from hive-exec CVE-2020-8908 - guava - Removed - Low - Removed guava from hive-exec CVE-2023-2976 - guava - Removed - Medium - Removed guava from hive-exec CVE-2018-10237 - guava - Removed - Medium - Removed guava from hive-exec CVE-2022-3509 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec CVE-2022-3171 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec CVE-2022-3510 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec CVE-2020-13956 - httpclient - Upgraded to 4.15.3 - Medium - Upgrade httpclient in hive-exec CVE-2023-37276 - aiohttp - Upgraded to 3.8.6 - Medium - Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp CVE-2023-47627 - aiohttp - Upgraded to 3.8.6 - Medium - Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp CVE-2023-43804 - urllib3 - Upgraded to 2.0.7 - Medium - Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3 CVE-2023-45803 - urllib3 - Upgraded to 2.0.7 - Medium - Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3 CVE-2023-37920 - certifi - Upgraded to 2024.2.2 - Low - Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi CVE-2024-3651 - idna - Upgraded to 3.7 - Medium - Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna CVE-2023-5752 - pip - Upgraded to 24.0 - Informational - CVE-2022-40897 - setuptools - Upgraded to 65.5.1 - Medium - CVE-2022-40896 - pygments - Upgraded to 2.15.1 - Medium - CVE-2022-40898 - wheel - Upgraded to 0.41.2 - Informational - CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium - Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests CVE-2022-40899 - future - Upgraded to 1.0.0 - High - Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future | ||
SVD-2024-0717 | 2024-07-01 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint | Medium | CVE-2024-36997 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N | 4.6 | CWE-79 | VULN-8007 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 | 9.2.2 9.1.5 9.0.10 9.1.2312.100 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.100 | 9.2.2 9.1.5 9.0.10 9.1.2312.100 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability is likely to affect instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. | STÖK / Fredrik Alexandersson | |
SVD-2024-0716 | 2024-07-01 | 2024-07-01 | Information Disclosure of user names | Medium | CVE-2024-36996 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 5.3 | CWE-204 | VULN-3072 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.109 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 | SAML SAML SAML SAML | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks.<br><br>This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability a 5.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | ||
SVD-2024-0715 | 2024-07-01 | 2024-07-01 | Low-privileged user could create experimental items | Medium | CVE-2024-36995 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 4.3 | CWE-862 | VULN-15941 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | REST API REST API REST API REST API REST API | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create experimental items. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. | MrHack | |
SVD-2024-0714 | 2024-07-01 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Dashboard Elements | Medium | CVE-2024-36994 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | VULN-15625 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>The “ping” URL attribute and the “url” parameter do not properly validate user input. The attribute and parameter are not properly escaped, which could lead to the Stored Cross-site Scripting (XSS) exploit. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-0713 | 2024-07-01 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Web Bulletin | Medium | CVE-2024-36993 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | VULN-15649 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>Splunk Web Bulletin Messages would not sanitize the “data-toggle” and “data-remote” attributes which could lead to a Stored Cross-site Scripting (XSS) exploit. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-0712 | 2024-07-01 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Dashboard Elements | Medium | CVE-2024-36992 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | VULN-15645 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-0711 | 2024-07-01 | 2024-07-01 | Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows | High | CVE-2024-36991 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 7.5 | CWE-35 | VULN-15637 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.2 9.1.5 9.0.10 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 | 9.2.2 9.1.5 9.0.10 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the `/modules/messaging/` endpoint in Splunk Enterprise on Windows.<br><br>The vulnerability exists because the Python `os.path.join` function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.<br><br>This vulnerability should only affect Splunk Enterprise on Windows. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. <br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-0710 | 2024-07-01 | 2024-07-01 | Denial of Service (DoS) on the datamodel/web REST endpoint | Medium | CVE-2024-36990 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-835 | VULN-15235 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.202 9.1.2312.109 9.1.2308.209 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 9.1.2312.200 to 9.1.2312.201 9.1.2312.100 to 9.1.2312.108 Below 9.1.2308.208 | 9.2.2 9.1.5 9.0.10 9.1.2312.202 9.1.2312.109 9.1.2308.209 | REST API REST API REST API REST API REST API REST API | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the “admin” or “power” Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.<br><br>The DoS could result from a condition where a data model definition contains a cyclic dependency. That dependency could lead to an infinite loop, which leads to a stack overflow and the subsequent crash of the Splunk daemon. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | Anton (therceman) | |
SVD-2024-0709 | 2024-07-01 | 2024-07-01 | Low-privileged user could create notifications in Splunk Web Bulletin Messages | Medium | CVE-2024-36989 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N | 6.5 | CWE-284 | VULN-15234 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive.<br><br>This could be the result of a lack of access control for using the Bulletin Messages system to send notifications.<br><br>It may be possible for the notifications to contain Web links. This could result in administrators navigating to other Web pages or running searches unexpectedly. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-0708 | 2024-07-01 | 2024-07-01 | OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems | Informational | NA | NA | CWE-119 | VULN-14673 | Splunk Enterprise - Linux 9.2 Splunk Enterprise - Linux 9.1 Splunk Enterprise - Linux 9.0 Universal Forwarder - Solaris 9.2 Universal Forwarder - Solaris 9.1 Universal Forwarder - Solaris 9.0 | 9.2.2 9.1.5 9.0.10 9.2.2 9.1.5 9.0.10 | 9.2.0 to 9.2.1 9.1.3 to 9.1.4 9.0.8 to 9.0.9 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 | 9.2.2 9.1.5 9.0.10 9.2.2 9.1.5 9.0.10 | libcrypto libcrypto libcrypto libcrypto libcrypto libcrypto | In certain specific versions and platform architectures of Splunk Enterprise and the Universal Forwarder, the cryptographic library for OpenSSL (libcrypto.so) was incorrectly compiled with its stack execution bit set. Setting the executable bit on .so library files is not a direct vulnerability,. <br><br>The problem affects the following versions of the Splunk platform only:<br> - Splunk Enterprise on Linux: 9.2.1, 9.2.0.1, 9.2.0, 9.1.4, 9.1.3, 9.0.9, and 9.0.8 <br> - Universal Forwarder on Solaris: all versions below 9.2.2, 9.1.5, and 9.0.10. <br><br>The problem does not affect the following versions of the Splunk platform:<br> - Splunk Enterprise on Windows or MacOS.<br> - Universal Forwarder on Windows, MacOS, Linux, FreeBSD, or AIX. | Upgrade Splunk Enterprise on Linux and Universal Forwarder on Solaris to versions 9.2.2, 9.1.5, and 9.0.10, or higher. | None | This advisory is informational only. A severity rating does not apply and the Common Vulnerability Scoring System (CVSS) is not applicable. | |||
SVD-2024-0707 | 2024-07-01 | 2024-07-01 | Insecure File Upload in the indexing/preview REST endpoint | Medium | CVE-2024-36987 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-434 | VULN-10327 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.<br><br>The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability would likely affect instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off. | Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Kyle Bambrick, Splunk | |
SVD-2024-0706 | 2024-07-01 | 2024-07-01 | Risky command safeguards bypass through Search ID query in Analytics Workspace | Medium | CVE-2024-36986 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N | 6.3 | CWE-200 | VULN-10317 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 Below 9.1.2312.200 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.200 9.1.2308.207 | Splunk Web Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards) in the Analytics Workspace. <br><br>The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | The vulnerability likely affects instances with the Analytics Workspace enabled. Turning off the Analytics Workplace application is a possible workaround. For more information on managing apps, see [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects).<br><br>The vulnerability likely affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. | Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web or disabled Analytics Workplace, there should be no impact and the severity would be informational. | Anton (therceman) | |
SVD-2024-0705 | 2024-07-01 | 2024-07-01 | Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise | High | CVE-2024-36985 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-687 | VULN-8937 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.2 9.1.5 9.0.10 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 | 9.2.2 9.1.5 9.0.10 | splunk_archiver splunk_archiver splunk_archiver | In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.<br><br>The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash“.<br><br>The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. | Disable the “splunk_archiver“ application | Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance disabled splunk_archiver, there is no impact and the severity is Informational. | Alex Hordijk | |
SVD-2024-0704 | 2024-07-01 | 2024-07-01 | Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows | High | CVE-2024-36984 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-502 | VULN-15741 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.2 9.1.5 9.0.10 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 | 9.2.2 9.1.5 9.0.10 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.<br><br>The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-0703 | 2024-07-01 | 2024-07-01 | Command Injection using External Lookups | High | CVE-2024-36983 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 8.0 | CWE-77 | VULN-15560 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 9.1.2312.100 to 9.1.2312.108 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.207 | External Lookups External Lookups External Lookups External Lookups External Lookups | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated ”runshellscript” command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HH. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-0702 | 2024-07-01 | 2024-07-01 | Denial of Service through null pointer reference in “cluster/config” REST endpoint | High | CVE-2024-36982 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 | CWE-476 | VULN-15553 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.207 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 9.1.2312.100 to 9.1.2312.108 Below 9.1.2308.207 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.207 | REST API REST API REST API REST API REST API | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an attacker could trigger a null pointer reference on the “cluster/config” REST endpoint, which could result in a crash of the Splunk daemon. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. <br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. | d0nahu3 | |
SVD-2024-0701 | 2024-07-01 | 2024-07-01 | Remote Code Execution through dashboard PDF generation component | High | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-94 | VULN-15197 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform 9.1.2312 Splunk Cloud Platform 9.1.2308 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.203 | 9.2.0 to 9.2.1 9.1.0 to 9.1.4 9.0.0 to 9.0.9 9.1.2312.100 to 9.1.2312.108 Below 9.1.2308.203 | 9.2.2 9.1.5 9.0.10 9.1.2312.109 9.1.2308.203 | pdfgen pdfgen pdfgen pdfgen pdfgen | In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.203, an authenticated user could execute arbitrary code through the dashboard PDF generation component.<br><br>The pdfgen/render REST endpoint uses a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library with a remote code execution vulnerability, as described in Common Vulnerabilities and Exposures (CVE) ID CVE-2023-33733. | Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability. | None | Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. | Alex Chapman (ajxchapman) | ||
SVD-2024-0304 | 2024-03-27 | 2024-03-27 | Third-Party Package Updates in Splunk Universal Forwarder - March 2024 | Low | - | - | - | - | Splunk Universal Forwarder 9.2 Splunk Universal Forwarder 9.1 Splunk Universal Forwarder 9.0 | 9.2.1 9.1.4 9.0.9 | 9.2.0 to 9.2.0.1 9.1.0 to 9.1.3 9.0.0 to 9.0.8 | 9.2.1 9.1.4 9.0.9 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder versions 9.2.1, 9.1.4, 9.0.9 and higher, including the following: | Upgrade Splunk Universal Forwarder to versions 9.2.1, 9.1.4, and 9.0.9, or higher. | N/A | For the CVEs in this list, Splunk adopted the vendor's severity rating, where applicable. | CVE-2024-0727, CVE-2023-5678 - Openssl - Upgraded to 1.0.2zj - Low - multiple - curl - Upgraded from 8.0.1 to 8.5.0 - Informational - The Splunk Universal Forwarder is not affected by the CVEs listed by curl applicable to versions 8.0.1 through 8.4.0. However, out of an abundance of caution, Splunk upgraded it. | ||
SVD-2024-0303 | 2024-03-27 | 2024-03-27 | Third-Party Package Updates in Splunk Enterprise - March 2024 | High | - | - | - | - | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.1 9.1.4 9.0.9 | 9.2.0 to 9.2.0.1 9.1.0 to 9.1.3 9.0.0 to 9.0.8 | 9.2.1 9.1.4 9.0.9 | | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher, including the following: | Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, and 9.0.9, or higher. | N/A | For the CVEs in this list, Splunk adopted the vendor's severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. | CVE-2024-0727, CVE-2023-5678 - Openssl - Upgraded to 1.0.2zj - Low - CVE-2023-39325 - net, go - Upgraded to 0.2.0 - High - Upgraded in Splunk Assist multiple - go - Upgraded from 1.20.10 to 1.21.5 - See vendor - Upgraded in Splunk Assist multiple - hive-exec - Upgraded from 3.1.3 to 4.0.0-beta-1 - See vendor - multiple - curl - Upgraded from 8.0.1 to 8.5.0 - See vendor - Splunk Enterprise is not affected by CVE-2023-38545 CVE-2021-32559 - pywin32 - Upgraded to b306 - Medium - multiple - jackson-databind - Upgraded from 2.9.10 to 2.13.5 - See vendor - Removed jackson-databind-2.9.10 nested within $SPLUNK_HOME/bin/jars/thirdparty/common/parquet-hive-bundle-1.11.2.jar and added jackson-databind-2.13.5 under $SPLUNK_HOME/bin/jars/common | ||
SVD-2024-0302 | 2024-03-27 | 2024-04-09 | Risky command safeguards bypass in Dashboard Examples Hub | High | CVE-2024-29946 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1 | CWE-20 | SPL-250341 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 Splunk Cloud Platform - Splunk Cloud Platform - | 9.2.1 9.1.4 9.0.9 9.1.2312.104 9.1.2308.205 | 9.2.0 to 9.2.0.1 9.1.0 to 9.1.3 9.0.0 to 9.0.8 9.1.2312.100 to 9.1.2312.103 Below 9.1.2308.205 | 9.2.1 9.1.4 9.0.9 9.1.2312.104 9.1.2308.205 | Splunk Dashboard Studio Splunk Dashboard Studio Splunk Dashboard Studio Splunk Dashboard Studio Splunk Dashboard Studio | In Splunk Enterprise versions below 9.2.1, 9.1.4 and 9.0.9, and Splunk Cloud Platform versions below 9.1.2312.104 and 9.1.2308.205, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands, which could allow an attacker to bypass SPL safeguards for risky commands. <br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser (and in the case of Splunk Enterprise, also if Splunk Web is on).<br><br>For more information on risky commands and potential impacts, see [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards). | For Splunk Enterprise, upgrade versions to 9.2.1, 9.1.4, 9.0.9, or higher.<br><br>For Splunk Cloud Platform, Splunk has put in place a mitigation, and is actively monitoring and rolling out patches across Splunk Cloud Platform instances. | On Splunk Cloud Platform only, Splunk implemented network-level changes that fully mitigate the vulnerability.<br><br>On Splunk Enterprise only:<br><br>You can mitigate the vulnerability by removing the template file for the Splunk Dashboard Studio Examples Hub. This file is located at `$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/appserver/templates/example-hub.html`. This mitigation prevents the Dashboard Examples Hub from rendering.<br><br>The vulnerability affects instances with[ Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You can turn Splunk Web off as a possible workaround. See[ Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the[ web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.<br><br>The Splunk-built Splunk Dashboard Studio app comes with Splunk Enterprise and uses the Dashboard Examples Hub. You can disable the app as a possible workaround for instances that do not run as Search Heads. See [Manage app and add-on objects - Splunk Documentation](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects) for more information.<br><br>**Note:** In Splunk Enterprise versions below 9.2 and Splunk Cloud Platform versions below 9.0.2205, disabling the Splunk Dashboard Studio app disables Dashboard Studio dashboard functionality. In all Splunk Enterprise and Splunk Cloud Platform versions, disabling the Splunk Dashboard Studio app breaks images and icons for Dashboard Studio dashboards and might also cause unintended problems with other Dashboard Studio functionality. | The severity of this vulnerability varies based on certain conditions.<br><br>On Splunk Enterprise:<br><br>If the Splunk Enterprise environment meets the conditions that appear in the “Description” section, Splunk rates the vulnerability as High, 8.1, with a CVSSv3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web or Splunk Dashboard Studio, there is no impact and the severity is Informational.<br><br>On Splunk Cloud Platform:<br><br>Splunk implemented network-level changes that fully mitigate the vulnerability. There is no impact and the severity is Informational. | ||
SVD-2024-0301 | 2024-03-27 | 2024-03-27 | Splunk Authentication Token Exposure in Debug Log in Splunk Enterprise | High | CVE-2024-29945 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | CWE-532 | SPL-248977 | Splunk Enterprise 9.2 Splunk Enterprise 9.1 Splunk Enterprise 9.0 | 9.2.1 9.1.4 9.0.9 | 9.2.0 to 9.2.0.1 9.1.0 to 9.1.3 9.0.0 to 9.0.8 | 9.2.1 9.1.4 9.0.9 | | In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure could happen when either Splunk Enterprise runs in debug mode or the `JsonWebToken` component has been configured to log its activity at the DEBUG logging level. Normally, Splunk Enterprise runs with debug mode and token authentication turned off, as well as the `JsonWebToken` process configured at the INFO logging level. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | <div> <p data-renderer-start-pos="2009">There are multiple solutions depending on how you have configured the Splunk Enterprise instance.</p> <p data-renderer-start-pos="2108">First, determine whether or not debug logging is on, either globally or for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.</p> <ol class="ak-ol" start="1" data-indent-level="1"> <li> <p data-renderer-start-pos="2328">To determine the current global logging mode on the instance:</p> <ol class="ak-ol" start="1" data-indent-level="2"> <li> <p data-renderer-start-pos="2393">In a web browser, visit the Server Logging Settings page in Splunk Web at <code class="code css-1o5d2cw" data-renderer-mark="true">/en-US/manager/system/server/logger</code>.</p> </li> <li> <p data-renderer-start-pos="2536">Review the Logging Level column on the page that loads. If every row in this column shows DEBUG as the logging level, then the Splunk Enterprise instance is in debug mode. Otherwise, it is not in debug mode.</p> </li> </ol> </li> <li> <p data-renderer-start-pos="2749">To determine the current logging level for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> processor:</p> <ol class="ak-ol" start="1" data-indent-level="2"> <li> <p data-renderer-start-pos="2830">In a web browser, search for the JsonWebToken processor configuration by visiting <code class="code css-1o5d2cw" data-renderer-mark="true">/en-US/manager/system/server/logger?search=JsonWebToken</code>.</p> </li> <li> <p data-renderer-start-pos="2986">Review the Logging level column for the processor. If this row has a value of DEBUG, then the processor currently logs its activity at the DEBUG level.</p> </li> </ol> </li> </ol> <p data-renderer-start-pos="3143">See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging" href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging" data-testid="link-with-safety" data-renderer-mark="true">Enable debug logging</a> for more information.</p> <p data-renderer-start-pos="3192">If either of these steps determines that debug logging is on, either globally or for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component, then remedy the problem by performing the following tasks:</p> <ol class="ak-ol" start="1" data-indent-level="1"> <li> <p data-renderer-start-pos="3374">Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or higher.</p> </li> <li> <p data-renderer-start-pos="3447">Delete the following log file on the Splunk Enterprise instance: <code class="code css-1o5d2cw" data-renderer-mark="true">$SPLUNK_HOME/var/log/splunk/splunkd.log</code></p> </li> <li> <p data-renderer-start-pos="3555">Log into Splunk Web on the Splunk Enterprise instance and delete all log file events for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component from the _internal index by running the following search command:<br /> <code class="code css-1o5d2cw" data-renderer-mark="true">index=_internal component=JsonWebToken | delete</code><br />Note: The delete SPL command requires the can_delete role, which administrators do not receive by default. See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete" href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete" data-testid="link-with-safety" data-renderer-mark="true">delete</a> for more info on the delete search command.</p> </li> <li> <p data-renderer-start-pos="3958">While you are logged in, rotate any potentially exposed authentication tokens. See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens" href="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens" data-testid="link-with-safety" data-renderer-mark="true">Manage or delete authentication tokens</a> for more information.</p> </li> </ol> </div> | <p>If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:</p> <ol class="ak-ol" start="1"> <li> <p>If the Splunk Enterprise instance runs in debug mode, turn it off. Restart the instance without using the <code>--debug</code> argument.</p> </li> <li> <p>If you don’t use tokens to authenticate users on the Splunk Enterprise instance and token authentication is on, turn it off. See <a href="http://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTokenAuth">Enable or disable token authentication</a> for more information.</p> </li> <li> <p>If the JsonWebToken component is at the DEBUG logging level, raise it to the INFO level.</p> <ol class="ak-ol" start="1"> <li> <p>Log into Splunk Web on the Splunk Enterprise instance and visit the Server Logging page as described previously.</p> </li> <li> <p>Select the JsonWebToken component, change its logging level to INFO, then select Save.</p> </li> </ol> </li> <li> <p>View the <code>$SPLUNK_HOME/etc/log.cfg</code> logging configuration files and confirm that the JsonWebToken component is at the INFO logging level. Look for a line in the file that says <code>category.JsonWebToken=</code>. If it equals DEBUG, raise the logging level to INFO by doing the following:</p> <ol class="ak-ol" start="1"> <li> <p>Edit the <code>$SPLUNK_HOME/etc/log.cfg</code> file.</p> </li> <li> <p>Add the line <code>category.JsonWebToken=INFO</code> to this file.</p> </li> <li> <p>Save the file.</p> </li> <li> <p>Repeat Steps 4a-4c with the <code>log-local.cfg</code> file, if it exists.</p> </li> <li> <p>Restart Splunk Enterprise for the changes to <code>log.cfg</code>or <code>log-local.cfg</code> to take effect. Note: Confirm that you do not use the <code>--debug</code> flag to restart Splunk Enterprise.</p> </li> </ol> </li> <li> <p>Delete the following log file: <code>$SPLUNK_HOME/var/log/splunk/splunkd.log</code></p> </li> <li> <p>Delete all the Splunk Enterprise log file events from the _internal index by running the following search command: <br> <div><code>index=_internal component=JsonWebToken | delete</code></div> <br>Note: The delete command requires the can_delete role, which administrators do not receive by default. See <a href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete">delete</a> for more info on the delete search command.</p> </li> <li> <p>While you are logged in, rotate any potentially exposed authentication tokens. See <a href="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens">Manage or delete authentication tokens</a> for more information.</p> </li> </ol> | <div> <p data-renderer-start-pos="6130">Splunk rates this vulnerability as informational, or falling between a 6.7, Medium, and a 7.2, High. The following scenarios affect the score:</p> <ul class="ak-ul" data-indent-level="1"> <li> <p data-renderer-start-pos="6600">If token authentication is turned off, then the vulnerability does not affect this Splunk Enterprise instance and the advisory is Informational.</p> </li> <li> <p data-renderer-start-pos="6404">If you limit access to the _internal index to holders of the admin role only, then the CVSS score lowers to 6.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.</p> </li> <li> <p data-renderer-start-pos="6404">If admin users have provided lower-privilege users access to the _internal index, then the CVSS score would be 7.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.</p> </li> </ul> </div> | Alex Napier, Splunk | |
SVD-2024-0112 | 2024-01-30 | 2024-01-30 | Third-Party Package Updates in Splunk Add-on Builder - January 2024 | High | - | - | - | - | Splunk Add-on Builder - | 4.1.4 | Below 4.1.4 | 4.1.4 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Add-on Builder version 4.1.4, including the following: | For Splunk Add-on Builder, upgrade to version 4.1.4. <br> <br> Splunk Add-on Builder replicates the requests Python HTTP library to custom apps and add-ons. After you upgrade Splunk Add-on Builder, review the following additional information if you use Add-on Builder to edit custom apps or add-ons: <br> 1. Use Add-on Builder to edit and save the affected app. See the [Add-on Builder documentation](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Overview) for more information.<br> 2. Restart Splunk Enterprise <br> <br> If the custom app or add-on is also installed on instances without Add-on Builder, you must package the upgraded custom app or add-on, then install it on the instances. See [Validate and Package](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Validate) and [Package apps](https://dev.splunk.com/enterprise/docs/releaseapps/packageapps/) for more information. <br> <br> For affected apps and add-ons that are already on SplunkBase, as a third-party developer, you must publish an updated version of the app or add-on to SplunkBase. For more information, see [Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase](https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/). Cloud-vetted apps are subject to the [Cloud Vetting Change Policy](https://dev.splunk.com/enterprise/docs/releaseapps/cloudvetting/#Cloud-Vetting-Change-Policy). <br> <br> Note: The Splunk Add-on Builder does not replicate the semver (Semantic Version parser) library to custom apps and add-ons. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium - CVE-2022-25883 - semver - Upgraded to 5.7.2 - High - | ||
SVD-2024-0111 | 2024-01-30 | 2024-01-30 | Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder | High | CVE-2023-46230 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L | 8.2 | CWE-532 | ADDON-63640 | Splunk Add-on Builder - | 4.1.4 | Below 4.1.4 | 4.1.4 | Add-on Builder | In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files. | Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events. | N/A | Splunk rates this vulnerability as a 8.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L. | Vikram Ashtaputre, Splunk | |
SVD-2024-0110 | 2024-01-30 | 2024-01-30 | Session Token Disclosure to Internal Log Files in Splunk Add-on Builder | High | CVE-2023-46231 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H | 8.8 | CWE-532 | ADDON-63902 | Splunk Add-on Builder - | 4.1.4 | Below 4.1.4 | 4.1.4 | Add-on Builder | In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. | Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events. | N/A | Splunk rates this vulnerability as a 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. | Vikram Ashtaputre, Splunk | |
SVD-2024-0109 | 2024-01-22 | 2024-01-26 | Third-Party Package Updates in Splunk Enterprise - January 2024 | High | - | - | - | N/A | Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 9.0.8 9.1.3 | 9.0.0 to 9.0.7 9.1.0 to 9.1.2 | 9.0.8 9.1.3 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.0.8 and 9.1.3, including the following: | Upgrade Splunk Enterprise to version 9.0.8, 9.1.3, or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | Multiple* - golang, in Splunk Assist - Upgraded golang from 1.20.7 to 1.20.10 - See vendor - Multiple* - golang, in mongodump and mongorestore - Upgraded golang from 1.19** to 1.20.10 - See vendor - CVE-2022-40899 - future, Python 3, in Upgrade Readiness App - Upgraded to 0.18.3 - High - CVE-2022-40899 - future, Python 2, in Upgrade Readiness App - Upgraded to 0.18.3 - High - CVE-2023-37920 - certifi - Patched*** - Low - | ||
SVD-2024-0108 | 2024-01-22 | 2024-01-30 | Deserialization of Untrusted Data on Splunk Enterprise for Windows through Path Traversal from Separate Disk Partition | High | CVE-2024-23678 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 7.5 | CWE-20 | SPL-240674 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 9.0.8 9.1.3 | 9.0.0 to 9.0.7 9.1.0 to 9.1.2 | 9.0.8 9.1.3 | Splunk Web Splunk Web | In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows. | Upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.<br><br>This vulnerability does not affect Splunk Cloud Platform. | If users do not log in to Splunk Web on instances in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br> | Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.<br><br>If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2024-0107 | 2024-01-22 | 2024-01-22 | Server Response Disclosure in RapidDiag Salesforce.com Log File | Medium | CVE-2024-23677 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-532 | SPL-225757 | Splunk Enterprise 9.0 Splunk Cloud - | 9.0.8 9.0.2208 | 9.0.0 to 9.0.7 Versions below 9.0.2208 | 9.0.8 9.0.2208 | Splunk Web Splunk Web | In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses to an external application upload request in a log file. The log files might contain sensitive information. | Upgrade Splunk Enterprise to 9.0.8 or higher. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | N/A | Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. | Vikram Ashtaputre, Splunk | |
SVD-2024-0106 | 2024-01-22 | 2024-01-23 | Sensitive Information Disclosure of Index Metrics through “mrollup” SPL Command | Medium | CVE-2024-23676 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 | CWE-20 | SPL-245947 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.8 9.1.3 9.1.2308.200 | 9.0.0 to 9.0.7 9.1.0 to 9.1.2 Versions below 9.1.2308.200 | 9.0.8 9.1.3 9.1.2308.200 | Splunk Web Splunk Web Splunk Web | In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit. See [Splunk Enterprise Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) for information on Metrics. | Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br><br>If users do not need access to metrics indexes, remove authorization to search those indexes. See [About configuring role-based user access](https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles) for information on how to configure role-based user access. | Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. | Anton (therceman) | |
SVD-2024-0105 | 2024-01-22 | 2024-01-30 | Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion | Medium | CVE-2024-23675 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 6.5 | CWE-284 | SPL-246067 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.8 9.1.3 9.1.2312.100 | 9.0.0 to 9.0.7 9.1.0 to 9.1.2 Versions below 9.1.2312.100 | 9.0.8 9.1.3 9.1.2312.100 | Splunk REST API Splunk REST API Splunk REST API | In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. | Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | Remove the `list_all_objects` capability from users that do not require it. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) for more information. If you are not using KV Store, you can disable it. See [Disable the KV store](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) for more information. Note: removing the list_all_objects capability may significantly impair user functionality. | Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. | Julian Kaufmann | |
SVD-2024-0104 | 2024-01-09 | 2024-01-09 | Splunk User Behavior Analytics (UBA) Third-Party Package Updates | High | - | - | - | UBA-16652 | Splunk User Behavior Analytics (UBA) - Splunk User Behavior Analytics (UBA) - | 5.3.0 5.2.1 | Below 5.3.0 Below 5.2.1 | 5.3.0 5.2.1 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk User Behavior Analytics (UBA) versions 5.3.0 and 5.2.1, including the following: | Upgrade Splunk User Behavior Analytics (UBA) to version 5.3.0, 5.2.1, or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-32695 - socket.io-parser - Upgraded to 4.6.2 - High - CVE-2015-5237 - protobuf - Upgraded to 3.21.12 - High - CVE-2022-3171 - protobuf - Upgraded to 3.21.12 - High - CVE-2022-3509 - protobuf - Upgraded to 3.21.12 - High - CVE-2022-3510 - protobuf - Upgraded to 3.21.12 - High - CVE-2023-2976 - Guava - Upgraded to 32.0.1 - High - | ||
SVD-2024-0103 | 2024-01-09 | 2024-01-11 | Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 | Critical | - | - | - | - | Splunk Enterprise Security (ES) 7.3 Splunk Enterprise Security (ES) 7.2 Splunk Enterprise Security (ES) 7.1 | 7.3.0 7.2.0 7.1.2 | - - Below 7.1.2 | 7.3.0 7.2.0 7.1.2 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise Security (ES) versions 7.1.2, 7.2.0 and higher, including the following: | Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-45133 - babel/traverse - Upgraded to 7.23.2 - High - CVE-2021-23446 - handsontable - Upgraded to 13.1.0 - High - CVE-2022-25883 - semver - Upgraded to 6.3.1 - High - CVE-2022-37599 - loader-utils - Upgraded to 1.4.2 - High - CVE-2022-37603 - loader-utils - Upgraded to 1.4.2 - High - CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical - CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High - | ||
SVD-2024-0102 | 2024-01-09 | 2024-01-10 | Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation | Medium | CVE-2024-22165 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-20 | SOLNESS-35977 | Splunk Enterprise Security (ES) 7.3 Splunk Enterprise Security (ES) 7.2 Splunk Enterprise Security (ES) 7.1 | 7.3.0 7.2.0 7.1.2 | - - Below 7.1.2 | 7.3.0 7.2.0 7.1.2 | - - - | In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. | Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher. | N/A | Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | Eric LaMothe, Splunk | |
SVD-2024-0101 | 2024-01-09 | 2024-01-10 | Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments | Medium | CVE-2024-22164 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 | CWE-400 | SOLNESS-35980 | Splunk Enterprise Security (ES) 7.3 Splunk Enterprise Security (ES) 7.2 Splunk Enterprise Security (ES) 7.1 | 7.3.0 7.2.0 7.1.2 | - - Below 7.1.2 | 7.3.0 7.2.0 7.1.2 | - - - | In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the investigation. The attachment endpoint does not properly limit the size of the request, which lets an attacker cause the investigation to become inaccessible.<br>The vulnerability requires the authenticated, collaborator access to the Investigation and only affects the availability of an affected Investigation. | Upgrade Splunk Enterprise Security (ES) to versions 7.1.2, 7.2.0, 7.3.0 or higher. | N/A | Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. | Vikram Ashtaputre, Splunk | |
SVD-2023-1107 | 2023-11-16 | 2023-12-18 | November 2023 Splunk Universal Forwarder Third-Party Updates | Low | - | - | - | - | Splunk Universal Forwarder 9.0 Splunk Universal Forwarder 9.1 | 9.0.7 9.1.2 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 | 9.0.7 9.1.2 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 9.0.7 or 9.1.2. | N/A | For the CVEs in this list, Splunk adopted the vendor's severity. | CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low - | ||
SVD-2023-1106 | 2023-11-16 | 2024-01-11 | November 2023 Third-Party Package Updates in Splunk Cloud Platform | Critical | - | - | - | - | Splunk Cloud - | 9.1.2308.100 | Below 9.1.2308 | 9.1.2308.100 | Splunk Web | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 9.1.2308.100 of Splunk Cloud Platform. | Splunk is actively upgrading and monitoring instances of Splunk Cloud Platform. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Critical - CVE-2023-24329 - python - Upgraded to 3.7.17 - High - CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low - | ||
SVD-2023-1105 | 2023-11-16 | 2023-11-16 | November 2023 Third Party Package updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 9.0.7 9.1.2 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 | 9.0.7 9.1.2 | Splunk Web Splunk Web | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2. | N/A | Splunk Enterprise does not use bottle and is not impacted by CVE-2022-31799. Otheriwse, for the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2021-22570 - protobuf - Upgraded to 3.15.8 - Medium - CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Informational - CVE-2023-24329 - python - Upgraded to 3.7.17 - High - CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low - | ||
SVD-2023-1104 | 2023-11-16 | 2023-12-12 | Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing | High | CVE-2023-46214 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 8.0 | CWE-91 | SPL-241695 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.7 9.1.2 9.1.2308 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 Versions below 9.1.2308 | 9.0.7 9.1.2 9.1.2308 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance. | Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If you cannot upgrade, limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input.<br><br>Edit the `web.conf` configuration file and add the following configuration on instances where you want to limit the ability of search job requests to accept XSL:<br><br>`[settings]`<br>`enableSearchJobXslt = false`<br><br>For more information on modifying the web.conf configuration file, see [How to edit a configuration file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification. For earlier Splunk Enterprise versions, review the web.conf specification for availability of the `enableSearchJobXslt` setting. | Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. | Alex Hordijk | |
SVD-2023-1103 | 2023-11-16 | 2023-11-20 | Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page | Medium | CVE-2023-46213 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 4.8 | CWE-79 | VULN-5768 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.7 9.1.2 9.1.2308 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 Versions below 9.1.2308 | 9.0.7 9.1.2 9.1.2308 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.<br><br>This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way. | Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web.<br>Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with. | Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N<br>If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational. | Joshua Neubecker | |
SVD-2023-1102 | 2023-11-16 | 2023-11-16 | Third Party Package Update in Splunk Add-on for Google Cloud Platform | Critical | - | - | - | - | Splunk Add-on for Google Cloud Platform - | 4.3.0 | Below 4.3.0 | 4.3.0 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 4.3.0 of Splunk Add-on for Google Cloud Platform. | For Splunk Add-on for Google Cloud Platform, upgrade versions to 4.3.0 or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical - CVE-2023-45803 - urllib3 - Upgraded to 1.26.18 - Medium - CVE-2023-43804 - urllib3 - Upgraded to 1.26.18 - High - CVE-2023-44270 - postcss - Upgraded to 8.4.31 - Medium - CVE-2022-25883 - semver - Upgraded to 6.3.1 and 7.5.4 - High - | ||
SVD-2023-1101 | 2023-11-16 | 2023-11-16 | Third Party Package Update in Splunk Add-on for Amazon Web Services | Critical | - | - | - | - | Splunk Add-on for Amazon Web Services - | 7.2.0 | Below 7.2.0 | 7.2.0 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 7.2.0 of Splunk Add-on for Amazon Web Services, including the following: | Upgrade the Splunk Add-on for Amazon Web Services to version 7.2.0 or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical - | ||
SVD-2023-1001 | 2023-10-06 | 2023-10-06 | Splunk Statement on CVE-2023-4863 libwebp Vulnerability | Informational | - | - | - | - | In early September 2023, Google disclosed a High-rated vulnerability, CVE-2023-4863, that affects Google Chrome and the libwebp library, which is part of the WebP image codec. Splunk has determined that CVE-2023-4863 does not affect Splunk products. If you have a product in your environment that CVE-2023-4863 does affect, upgrade the product per the recommendations from the product vendor. | None. CVE-2023-4863 does _not_ affect Splunk products. | None | Informational | CVE-2023-4863 - libwebp - Not affected - Informational - | |||||||
SVD-2023-0811 | 2023-08-30 | 2023-08-30 | Third Party Package Updates in IT Service Intelligence (ITSI) | High | - | - | - | - | Splunk ITSI 4.15 Splunk ITSI 4.13 | 4.15.3 4.13.3 | 4.15.0 to 4.15.2 4.13.0 to 4.13.2 | 4.15.3 4.13.3 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk IT Service Intelligence (ITSI), including the following: | For Splunk IT Service Intelligence (ITSI), upgrade versions to 4.13.3 or 4.15.3 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-2976 - guava - Upgraded to 32.0.0 - High - | ||
SVD-2023-0810 | 2023-08-30 | 2023-09-29 | Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI) | High | CVE-2023-4571 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | ITSI-31707 | Splunk ITSI 4.13 Splunk ITSI 4.15 Splunk ITSI 4.17 | 4.13.3 4.15.3 4.17.1 | 4.13.0 to 4.13.2 4.15.0 to 4.15.2 4.17.0 | 4.13.3 4.15.3 4.17.1 | - - - | In Splunk IT Service Intelligence (ITSI) versions below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. | For Splunk ITSI, upgrade to version 4.13.3, 4.15.3, or 4.17.1. Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch/<session_id>/itsi_search.log. On Windows ITSI instances, the log files are in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\<session_id>\itsi_search.log. | As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. | Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: * the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).” The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
SVD-2023-0809 | 2023-08-30 | 2023-08-30 | August Third Party Package Updates in Splunk Universal Forwarder | High | - | - | - | - | Universal Forwarder 8.2 Universal Forwarder 9.0 Universal Forwarder 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 8.2.12, 9.0.6, or 9.1.1 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2021-30560 - libxslt - Patched - High - CVE-2021-30560 - libxslt - Patched - High - CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27536 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27535 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27534 - curl - Upgraded to 8.0.1 - High - CVE-2023-27533 - curl - Upgraded to 8.0.1 - High - CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-43551 - curl - Upgraded to 8.0.1 - High - CVE-2022-42916 - curl - Upgraded to 8.0.1 - High - CVE-2022-42915 - curl - Upgraded to 8.0.1 - High - CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low - CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27782 - curl - Upgraded to 8.0.1 - High - CVE-2022-27781 - curl - Upgraded to 8.0.1 - High - CVE-2022-27780 - curl - Upgraded to 8.0.1 - High - CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27778 - curl - Upgraded to 8.0.1 - High - CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27775 - curl - Upgraded to 8.0.1 - High - CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-22576 - curl - Upgraded to 8.0.1 - High - CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22946 - curl - Upgraded to 8.0.1 - High - CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical - CVE-2021-22926 - curl - Upgraded to 8.0.1 - High - CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22901 - curl - Upgraded to 8.0.1 - High - CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium - CVE-2020-8286 - curl - Upgraded to 8.0.1 - High - CVE-2020-8285 - curl - Upgraded to 8.0.1 - High - CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low - CVE-2020-8231 - curl - Upgraded to 8.0.1 - High - CVE-2020-8177 - curl - Upgraded to 8.0.1 - High - CVE-2020-8169 - curl - Upgraded to 8.0.1 - High - CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical - CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High - CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium - CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical - CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium - CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High - CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High - CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium - CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High - CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High - CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High - | ||
SVD-2023-0808 | 2023-08-30 | 2024-02-14 | August 2023 Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 8.2.12, 9.0.6, or 9.1.1 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2022-38900 - decode-uri-component - Upgraded to 6.0.0 - High - CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium - CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical - CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High - CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium - CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High - CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High - CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High - CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical - CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High - CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High - CVE-2022-31129 - moment - Upgraded to 2.29.4 - High - CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High - CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High - CVE-2022-24999 - qs - Upgraded to 6.5.3 - High - CVE-2022-25881 - http-cache-semantics - Upgraded to 4.1.1 - High - CVE-2022-42003 - jackson-databind - Upgraded to 2.13.5 - High - CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High - CVE-2021-41182 - jquery-ui - Upgraded to 1.13.2 - Medium - CVE-2021-41183 - jquery-ui - Upgraded to 1.13.2 - Medium - CVE-2021-41184 - jquery-ui - Upgraded to 1.13.2 - Medium - CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High - CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical - CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High - CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium - CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical - CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium - CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High - CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High - CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High - CVE-2022-23491 - certifi - Patched* - High - CVE-2022-23491 - certifi - Upgraded to 2023.5.7** - High - Multiple - curl - Upgraded to 8.0.1*** - High - Multiple - go - Updated golang in mongotools**** - Critical - CVE-2021-30560 - libxslt - Patched***** - High - CVE-2022-2309 - lxml - Patched****** - High - | ||
SVD-2023-0807 | 2023-08-30 | 2023-10-18 | Command Injection in Splunk Enterprise Using External Lookups | High | CVE-2023-40598 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.5 | CWE-77 | SPL-230071 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated `runshellscript` command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance. | Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively upgrading and monitoring Splunk Cloud deployments. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0806 | 2023-08-30 | 2023-10-18 | Absolute Path Traversal in Splunk Enterprise Using runshellscript.py | High | CVE-2023-40597 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 7.8 | CWE-36 | VULN-5304 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.<br><br>The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.<br><br>The exploit requires the attacker to have write access to the drive on which they place the exploit script.<br>This vulnerability only affects Splunk Enterprise Instances that run on Windows. | Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1. <br><br>This vulnerability does not affect Splunk Cloud Platform instances. | No mitigations | Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. <br><br>This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0805 | 2023-08-30 | 2023-08-30 | Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL | High | CVE-2023-40596 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.0 | CWE-665 | VULN-4474 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine. As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform. | Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review [Harden Your Windows Installation](https://docs.splunk.com/Documentation/Splunk/latest/Security/HardenyourWindowsinstallation). | Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. | Will Dormann, Vul Labs | |
SVD-2023-0804 | 2023-08-30 | 2023-10-18 | Remote Code Execution via Serialized Session Payload | High | CVE-2023-40595 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-502 | PRODSECOPS-25334 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.<br><br>The exploit requires the use of the `collect` SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0803 | 2023-08-30 | 2023-10-18 | Denial of Service (DoS) via the ‘printf’ Search Function | Medium | CVE-2023-40594 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 6.5 | CWE-400 | SPL-235294 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2303.100 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2209 and lower | 8.2.12 9.0.6 9.1.1 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.<br><br>The `printf` function does not properly validate expressions in certain cases in combination with commands like `fieldformat` that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0802 | 2023-08-30 | 2023-10-18 | Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML Request | Medium | CVE-2023-40593 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H | 6.3 | CWE-400 | SPL-219455 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud - | 8.2.12 9.0.6 9.0.2205 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 8.2.2203 | 8.2.12 9.0.6 9.0.2205 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.<br><br>The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. | Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation. | Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. <br><br>If your Splunk Enterprise Instance does not use SAML as an authentication scheme for SSO, it is not affected and this vulnerability can be considered informational. | Aaron Devaney (Dodekeract) | |
SVD-2023-0801 | 2023-08-30 | 2023-10-18 | Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint | High | CVE-2023-40592 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | 8.4 | CWE-79 | VULN-5287 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.<br><br>A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0702 | 2023-07-31 | 2023-10-18 | Unauthenticated Log Injection In Splunk SOAR | High | CVE-2023-3997 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | SPL-241869 | Splunk SOAR (On-premises) Splunk SOAR (Cloud) | 6.1.0 6.1.0 | 6.0.2 and lower 6.0.2 and lower | 6.1.0 6.1.0 | SOAR SOAR | In Splunk SOAR versions lower than 6.1.0, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code. This vulnerability does not directly affect Splunk SOAR, only indirectly through the permissions in the user’s terminal. The indirect impact on Splunk SOAR can vary significantly depending on the permissions in the vulnerable terminal application and where and how the terminal user reads the malicious log file. For example, a terminal user can unknowingly copy the malicious file from the Splunk SOAR instance and read it on their local machine. In this case, that local machine would be affected. | Splunk SOAR (On-premises): Upgrade to version 6.1.0. Splunk SOAR (Cloud): No action is required. Splunk is actively patching and monitoring the Splunk SOAR (Cloud) instances. | If it is not currently practical to upgrade to Splunk SOAR version 6.1.0, you can partially mitigate the risk. As a partial, general mitigation, you can protect Splunk SOAR users from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or by using a terminal application that supports the filtering of ANSI codes. | Splunk rates this vulnerability as High, 8.6, with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk SOAR instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector”. In most vulnerabilities that Splunk rates, the vector would align with CVSS metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: *“The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”* The attack mirrors this qualification, requiring another user to open a malicious document, for example, the injected log file. Because of this, Splunk rated this Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** This vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting this vulnerability. **Privileges Required:** This vulnerability does not require additional privileges and occurs through an unauthenticated web request to Splunk SOAR. **User Interaction:** This vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** This vulnerability does not affect Splunk SOAR directly, only indirectly through the authorized permissions in the user’s terminal. This vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, this vulnerability qualifies for a Change in Scope, as defined by the CVSS standard. **Confidentiality/Integrity/Availability:** This vulnerability enables potential remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for Confidentiality, Integrity and Availability. The indirect impact on Splunk SOAR might vary significantly depending on how the terminal user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
SVD-2023-0701 | 2023-07-17 | 2023-07-17 | Splunk SOAR Cryptography Python Package Upgrade Incompatibility | Informational | - | - | - | - | Splunk SOAR (On-premises) 6.1 Splunk SOAR (Cloud) 6.1 | 6.1.1 6.1.1 | 6.1.1 and above 6.1.1 and above | 6.1.1 6.1.1 | Custom Apps Custom Apps | In Splunk Security Orchestration, Automation and Response (SOAR) version 6.1.1, Splunk upgraded the Python cryptography library within the app to version 41.0.1. This version of the cryptography library may cause Python module import problems during execution, if a specific version of the library is used for a custom app. The problem occurs when the cryptography library that you specify as a dependency for your custom app is a version that is lower than or equal to version 39.0.1. | To address the incompatibility, specify a version of the library package on your custom app dependency to a version that is higher than 39.0.1. For more information on how to create a custom app using the SOAR App Wizard, see [Create an app with the App Wizard](https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/CreateAnAppWithTheAppEditor) in the Splunk SOAR documentation. | N/A | N/A | CVE-2023-23931 - Cryptography, Python - Upgraded to 41.0.1 - Medium - CVE-2023-0286 - Cryptography, Python - Upgraded to 41.0.1 - High - | ||
SVD-2023-0615 | 2023-06-01 | 2023-06-01 | June Third Party Package Updates in Splunk Cloud | High | - | - | - | - | Splunk Cloud | 9.0.2303.100 | 9.0.2303 and lower | 9.0.2303.100 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Cloud, including the following: | For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High - CVE-2022-40304 - libxml2 - Patched - High - CVE-2022-23491 - certifi - Upgraded to 2022.12.7 - High - CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High - CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium - CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium - | ||
SVD-2023-0614 | 2023-06-01 | 2023-06-01 | June Third Party Package Updates in Splunk Universal Forwarders | Critical | - | - | - | - | Universal Forwarders 8.1 Universal Forwarders 8.2 Universal Forwarders 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.13 and Lower 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High - CVE-2022-40304 - libxml2 - Patched - High - CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium - CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical - CVE-2023-27535 - curl - Upgraded to 8.0.1 - High - CVE-2023-27534 - curl - Upgraded to 8.0.1 - High - CVE-2023-27533 - curl - Upgraded to 8.0.1 - High - CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-43551 - curl - Upgraded to 8.0.1 - High - CVE-2022-42916 - curl - Upgraded to 8.0.1 - High - CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low - CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27782 - curl - Upgraded to 8.0.1 - High - CVE-2022-27781 - curl - Upgraded to 8.0.1 - High - CVE-2022-27780 - curl - Upgraded to 8.0.1 - High - CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27778 - curl - Upgraded to 8.0.1 - High - CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27775 - curl - Upgraded to 8.0.1 - High - CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-22576 - curl - Upgraded to 8.0.1 - High - CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22946 - curl - Upgraded to 8.0.1 - High - CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical - CVE-2021-22926 - curl - Upgraded to 8.0.1 - High - CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22901 - curl - Upgraded to 8.0.1 - High - CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium - CVE-2020-8286 - curl - Upgraded to 8.0.1 - High - CVE-2020-8285 - curl - Upgraded to 8.0.1 - High - CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low - CVE-2020-8231 - curl - Upgraded to 8.0.1 - High - CVE-2020-8177 - curl - Upgraded to 8.0.1 - High - CVE-2020-8169 - curl - Upgraded to 8.0.1 - High - CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical - CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High - CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium - CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical - CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High - CVE-2018-25032 - zlib - Applied patch - High - CVE-2022-37434 - zlib - Applied patch - Critical - | ||
SVD-2023-0613 | 2023-06-01 | 2024-01-09 | June Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.13 and Lower 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High - CVE-2022-40304 - libxml2 - Patched - High - CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High - CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium - CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical - CVE-2023-27535 - curl - Upgraded to 8.0.1 - High - CVE-2023-27534 - curl - Upgraded to 8.0.1 - High - CVE-2023-27533 - curl - Upgraded to 8.0.1 - High - CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium - CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-43551 - curl - Upgraded to 8.0.1 - High - CVE-2022-42916 - curl - Upgraded to 8.0.1 - High - CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low - CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical - CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27782 - curl - Upgraded to 8.0.1 - High - CVE-2022-27781 - curl - Upgraded to 8.0.1 - High - CVE-2022-27780 - curl - Upgraded to 8.0.1 - High - CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27778 - curl - Upgraded to 8.0.1 - High - CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-27775 - curl - Upgraded to 8.0.1 - High - CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium - CVE-2022-22576 - curl - Upgraded to 8.0.1 - High - CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22946 - curl - Upgraded to 8.0.1 - High - CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical - CVE-2021-22926 - curl - Upgraded to 8.0.1 - High - CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22901 - curl - Upgraded to 8.0.1 - High - CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium - CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low - CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium - CVE-2020-8286 - curl - Upgraded to 8.0.1 - High - CVE-2020-8285 - curl - Upgraded to 8.0.1 - High - CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low - CVE-2020-8231 - curl - Upgraded to 8.0.1 - High - CVE-2020-8177 - curl - Upgraded to 8.0.1 - High - CVE-2020-8169 - curl - Upgraded to 8.0.1 - High - CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical - CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High - CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium - CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical - CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High - CVE-2018-25032 - zlib - Applied patch - High - CVE-2022-37434 - zlib - Applied patch - Critical - CVE-2020-15138 - prismjs - Upgraded to 1.2.9 - High - CVE-2022-37616 - xmldom - Upgraded to 0.7.9 - Critical - CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium - CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High - CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High - CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High - CVE-2022-46175 - json5 - Upgraded to 2.2.3 - High - CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High - CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical - CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High - CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High - CVE-2022-31129 - moment - Upgraded to 2.29.4 - High - CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High - CVE-2021-23368 - postcss - Upgraded to 7.0.36 - Medium - CVE-2021-23382 - postcss - Upgraded to 7.0.36 - High - CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High - CVE-2022-24999 - qs - Upgraded to 6.5.3 - High - CVE-2020-7753 - ssri - Uppgraded to 6.0.2 - High - CVE-2022-25858 - terser - Upgraded to 4.8.1 - High - CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High - CVE-2020-7753 - trim - Upgraded to 0.0.3 - High - CVE-2021-33587 - css-what - Upgraded to 5.0.1 - High - CVE-2020-8116 - dot-prop - Upgraded to 4.2.1 - High - CVE-2020-13822 - elliptic - Upgraded to 6.5.4 - High - CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium - CVE-2022-4200 - jackson-databind - Upgraded to 2.13.5 - Medium - CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High - CVE-2023-1370 - json-smart - Upgraded to 2.4.9 - High - CVE-2019-20149 - kind-of - Upgraded to 6.0.3 - High - CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical - CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical - CVE-2020-8203 - lodash - Upgraded to 4.17.21 - High - CVE-2019-10744 - lodash-es - Upgraded to 4.17.21 - Critical - CVE-2022-40023 - mako - Patched* - High - CVE-2022-40023 - mako - Upgraded to 1.2.4** - High - CVE-2019-10746 - mixin-deep - Upgraded to 1.3.2 - Critical - CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High - CVE-2021-33502 - normalize-url - Upgraded to 6.1.0 - High - CVE-2021-27292 - ua-parser-js - Upgraded to 0.7.35 - High - CVE-2021-33503 - urllib3 - Upgraded to 1.26.6 - High - CVE-2020-7662 - websocket-extensions - Upgraded to 0.1.4 - High - CVE-2020-7774 - y18n - Upgraded to 4.0.3 - Critical - CVE-2022-23806 - go, crypto/elliptic - Upgraded go to 1.2 - Critical - CVE-2022-23772 - go, math/big - Upgraded go to 1.2 - High - CVE-2021-43565 - go, x/crypto - Upgraded go to 1.2 - High - CVE-2022-30580 - go, os/exec - Upgraded go to 1.2 - High - CVE-2022-30633 - go, encoding/xml - Upgraded go to 1.2 - High - CVE-2022-28131 - go, encoding/xml - Upgraded go to 1.2 - High - CVE-2022-30632 - go, path/filepath - Upgraded go to 1.2 - High - CVE-2022-41716 - go - Upgraded go to 1.2 - High - CVE-2022-28327 - go, crypto/elliptic - Upgraded go to 1.2 - High - CVE-2022-24921 - go - Upgraded go to 1.2 - High - CVE-2022-30630 - go, io/fs - Upgraded go to 1.2 - High - CVE-2022-27191 - go, crypto/ssh - Upgraded go to 1.2 - High - CVE-2022-23773 - go, cmd/go - Upgraded go to 1.2 - High - CVE-2022-30634 - go, crypto/rand - Upgraded go to 1.2 - High - CVE-2022-41715 - go - Upgraded go to 1.2 - High - CVE-2022-24675 - go, encoding/pem - Upgraded go to 1.2 - High - CVE-2022-41720 - go - Upgraded go to 1.2 - High - CVE-2022-27664 - go, net/http - Upgraded go to 1.2 - High - CVE-2022-2880 - go, net/http - Upgraded go to 1.2 - High - CVE-2022-29804 - go, path/filepath - Upgraded go to 1.2 - High - CVE-2022-32189 - go, math/big - Upgraded go to 1.2 - High - CVE-2022-30635 - go, encoding/gob - Upgraded go to 1.2 - High - CVE-2022-30631 - go, compress/gzip - Upgraded go to 1.2 - High - CVE-2022-2879 - go - Upgraded go to 1.2 - High - CVE-2022-1705 - go, net/http - Upgraded go to 1.2 - Medium - CVE-2022-1962 - go, go/parse - Upgraded go to 1.2 - Medium - CVE-2022-29526 - go, sys - Upgraded go to 1.2 - Medium - CVE-2022-32148 - go, net/http - Upgraded go to 1.2 - Medium - CVE-2022-30629 - go, crypto/tls - Upgraded go to 1.2 - Low - CVE-2017-16042 - Growl - Upgraded to 1.10.5 - Critical - CVE-2021-20095 - Babel - Upgraded to 2.9.1 - Medium - | ||
SVD-2023-0612 | 2023-06-01 | 2023-06-01 | Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results | Medium | CVE-2023-32717 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-237454 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An unauthorized user can access the '/services/indexing/preview' REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the 'edit_monitor' and 'edit_upload_and_index' capabilities assigned to it. | For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances. | Remove the 'edit_monitor' and 'edit_upload_and_index' capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them. | Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. | Scott Calvert, Splunk | |
SVD-2023-0611 | 2023-06-01 | 2023-06-01 | Denial of Service via the 'dump' SPL command | Medium | CVE-2023-32716 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-754 | SPL-235572 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An attacker can exploit a vulnerability in the 'dump' SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance. | For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. | Remove the 'run_dump' capability from any roles that users hold. | Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0610 | 2023-06-01 | 2023-06-01 | Self Cross-Site Scripting (XSS) on Splunk App for Lookup File Editing | Medium | CVE-2023-32715 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | 4.7 | CWE-79 | LOOKUP-176 | Splunk App for Lookup File Editing 4.0 | 4.0.1 | 4.0 and lower | 4.0.1 | | A user can insert potentially malicious JavaScript code into the Splunk App for Lookup File Editing, which causes the code to run on the user’s machine. | Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher. | Disable the Splunk App for Lookup File Editing if you do not require it and cannot upgrade it. If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated this vulnerability as Medium, 4.7, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. | ||
SVD-2023-0609 | 2023-06-01 | 2023-06-01 | Information Disclosure via the ‘copyresults’ SPL Command | Medium | CVE-2023-32710 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N | 4.8 | CWE-200 | SPL-234996 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and lower | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. | Anton (therceman) | |
SVD-2023-0608 | 2023-06-01 | 2023-06-01 | Path Traversal in Splunk App for Lookup File Editing | High | CVE-2023-32714 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 8.1 | CWE-35 | LOOKUP-177 | Splunk App for Lookup File Editing 4.0 | 4.0.1 | 4.0 and lower | 4.0.1 | | A low-privileged user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory. | Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher. | N/A | Splunk rated the vulnerability as High, 8.1, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. | Torjus Bryne Retterstøl, Binary Security | |
SVD-2023-0607 | 2023-06-01 | 2023-06-01 | Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream | High | CVE-2023-32713 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 7.8 | CWE-269 | STREAM-5290 | Splunk App for Stream 8.1 | 8.1.1 | 8.1 and lower | 8.1.1 | streamfwd | A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user. | Upgrade the Splunk App for Stream to version 8.1.1 or higher. | * Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix). * Limit user access to the ‘streamfwd’ process by removing all but privileged users' ability to run the process. * Disable the Splunk App for Stream if you do not require it and cannot upgrade it. | Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational. | Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux) | |
SVD-2023-0606 | 2023-06-01 | 2023-10-18 | Unauthenticated Log Injection in Splunk Enterprise | High | CVE-2023-32712 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | SPL-235259 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Universal Forwarder 9.1 | 8.2.11.2 9.0.5.1 9.1.0.2 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11.1 9.0.0 to 9.0.5 9.1.0 to 9.1.0.1 8.2.11 and below 9.0.0 to 9.0.5 9.1.0 to 9.1.0.1 | 8.2.11.2 9.0.5.1 9.1.0.2 8.2.12 9.0.6 9.1.1 | - - - REST API REST API REST API | In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations: * The forwarders have been configured to have management services active * The active management services are exposed and accessible from the network By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See [SVD-2022-0605](https://advisory.splunk.com/advisories/SVD-2022-0605) for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. | For Splunk Enterprise, upgrade to version 8.2.11.2, 9.0.5.1, or 9.1.0.2. For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface. Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory. | As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost). For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost. To deactivate remote management services on Universal Forwarder: * In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file on UF, under the [httpServer] stanza, give the `disableDefaultPort` setting a value of `true`, or, under the [general] stanza, give the `allowRemoteLogin` setting a value of `never`. See [Configure universal forwarder management security](https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file, under the [httpServer] stanza, give the `mgmtMode` setting a value of `UDS` (or `default`). | Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for "Attack Vector." In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the "Local" metric. Specifically, the second qualification states the following: _the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)._" The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as "Local" per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
SVD-2023-0605 | 2023-06-01 | 2023-06-01 | Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View | Medium | CVE-2023-32711 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | SPL-234890 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | Splunk Web Splunk Web Splunk Web | A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. This vulnerability does not affect Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0604 | 2023-06-01 | 2023-06-01 | Low-privileged User can View Hashed Default Splunk Password | Medium | CVE-2023-32709 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-285 | SPL-235016 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N If the initial admin password has been changed, then there is no impact and the severity is Informational. | Anton (therceman) | |
SVD-2023-0603 | 2023-06-01 | 2023-06-01 | HTTP Response Splitting via the ‘rest’ SPL Command | High | CVE-2023-32708 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | CWE-113 | SPL-235203 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and lower | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content. | For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances. | For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the 'max_searches_per_process' setting a value of either 1 or 0. For Splunk Cloud Platform, file a support ticket to adjust this configuration setting. | Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. | Danylo Dmytriiev (DDV_UA) | |
SVD-2023-0602 | 2023-06-01 | 2023-06-01 | ‘edit_user’ Capability Privilege Escalation | High | CVE-2023-32707 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-285 | SPL-232088 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening. | For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges. | Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. | Mr Hack (try_to_hack) Santiago Lopez | |
SVD-2023-0601 | 2023-06-01 | 2023-06-01 | Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication | High | CVE-2023-32706 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 7.7 | CWE-611 | SPL-224292 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation. | Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational. | Vikram Ashtaputre, Splunk | |
SVD-2023-0215 | 2023-02-14 | 2023-02-14 | February Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | - - - - | CVE-2021-21419 - Python 2.7, eventlet - Upgraded to 2.7.18.4 - Informational - CVE-2021-28957 - Python 2.7, lxml - Upgraded to 2.7.18.4 - Medium - CVE-2022-24785 - Moment.js - Upgraded to 2.29.4 - High - CVE-2022-31129 - Moment.js - Upgraded to 2.29.4 - High - CVE-2022-32212 - Node.js - Applied patch - High - CVE-2015-20107 - Python 3.7 - Applied patch - Informational - CVE-2021-3517 - Libxml2 - Applied patch - High - CVE-2021-3537 - Libxml2 - Applied patch - Medium - CVE-2021-3518 - Libxml2 - Applied patch - High - | ||||||
SVD-2023-0214 | 2023-02-14 | 2023-02-14 | Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell) | Informational | - | - | - | - | CVE-2022-42889 - - - - | |||||||||||
SVD-2023-0213 | 2023-02-14 | 2023-02-14 | Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK | Medium | CVE-2023-22943 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 4.8 | CWE-636 | ADDON-58725 | Splunk Add-on Builder 4.1 Splunk CloudConnect SDK 3.1 | 4.1.2 3.1.3 | 4.1.1 and lower 3.1.2 and lower | 4.1.2 3.1.3 | cloudconnectlib - | Chris Green | |||||
SVD-2023-0212 | 2023-02-14 | 2023-02-14 | Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise | Medium | CVE-2023-22942 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L | 5.4 | CWE-352 | SPL-232619 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.13 8.2.10 9.0.4 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 | 8.1.13 8.2.10 9.0.4 | Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
SVD-2023-0211 | 2023-02-14 | 2023-02-14 | Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon | Medium | CVE-2023-22941 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-248 | SPL-232645 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
SVD-2023-0210 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise | Medium | CVE-2023-22940 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N | 6.3 | CWE-20 | SPL-232369 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
SVD-2023-0209 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk Enterprise | High | CVE-2023-22939 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1 | CWE-20 | SPL-230588 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Klevis Luli, Splunk | |||||
SVD-2023-0208 | 2023-02-14 | 2023-02-14 | Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise | Medium | CVE-2023-22938 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-229337 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
SVD-2023-0207 | 2023-02-14 | 2023-02-14 | Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise | Medium | CVE-2023-22937 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-20 | SPL-229185 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | ||||||
SVD-2023-0206 | 2023-02-14 | 2023-02-14 | Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk Enterprise | Medium | CVE-2023-22936 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 6.3 | CWE-918 | SPL-228937 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2023-0205 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise | High | CVE-2023-22935 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1 | CWE-20 | SPL-228738 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
SVD-2023-0204 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise | High | CVE-2023-22934 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | 7.3 | CWE-20 | SPL-228734 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
SVD-2023-0203 | 2023-02-14 | 2023-02-14 | Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise | High | CVE-2023-22933 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 8.0 | CWE-79 | SPL-228264 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0. to 9.0.3 9.0.2208 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2023-0202 | 2023-02-14 | 2023-02-14 | Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise | High | CVE-2023-22932 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N | 8.0 | CWE-79 | SPL-232819 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | - - 9.0.4 9.0.2209.3 | Not affected Not affected 9.0.0 to 9.0.3 9.0.2209 and lower | - - 9.0.4 9.0.2209.3 | - - Splunk Web Splunk Web | Tim Coen (foobar7) | |||||
SVD-2023-0201 | 2023-02-14 | 2023-02-14 | ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise | Medium | CVE-2023-22931 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-216628 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 - 8.2.2203 | 8.1.12 and lower 8.2.0 to 8.2.9 Not affected 8.2.2202 and lower | 8.1.13 8.2.10 - 8.2.2203 | Search Search - Search | James Ervin, Splunk | |||||
SVD-2022-1113 | 2022-11-02 | 2023-02-14 | November Third Party Package updates in Splunk Enterprise | High | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | - - - - | CVE-2020-36518 - jackson-databind - Upgraded to 2.13.2.1 - High - CVE-2021-32036 - mongodb - Updgraded to 4.2.19 or 4.2.17-v4 - Medium - | ||||||||||
SVD-2022-1112 | 2022-11-02 | 2022-11-02 | Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise | High | CVE-2022-43572 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 7.5, High | CWE-400 | SPL-224974 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209.3 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2209 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209.3 | Indexing Indexing Indexing Indexing | ||||||
SVD-2022-1111 | 2022-11-02 | 2022-11-02 | Remote Code Execution through dashboard PDF generation component in Splunk Enterprise | High | CVE-2022-43571 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-94 | SPL-228720 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-1110 | 2022-11-02 | 2022-11-02 | XML External Entity Injection through a custom View in Splunk Enterprise | High | CVE-2022-43570 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-611 | SPL-228310 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-1109 | 2022-11-02 | 2022-11-02 | Persistent Cross-Site Scripting via a Data Model object name in Splunk Enterprise | High | CVE-2022-43569 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 8.0, High | CWE-79 | SPL-228087 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-1108 | 2022-11-02 | 2022-11-02 | Reflected Cross-Site Scripting via the radio template in Splunk Enterprise | High | CVE-2022-43568 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8, High | CWE-79 | SPL-228379 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2 9.0.2205 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-1107 | 2022-11-02 | 2022-11-02 | Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature | High | CVE-2022-43567 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-502 | SPL-226837 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform Splunk Secure Gateway | 8.1.12 8.2.9 9.0.2 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2 9.0.2205 | Splunk Secure Gateway Splunk Secure Gateway Splunk Secure Gateway Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-1106 | 2022-11-02 | 2022-11-02 | Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk Enterprise | High | CVE-2022-43566 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | 7.3, High | CWE-20 | SPL-223730 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
SVD-2022-1105 | 2022-11-02 | 2022-11-02 | Risky command safeguards bypass via ‘tstats’ command JSON in Splunk Enterprise | High | CVE-2022-43565 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1, High | CWE-20 | SPL-224121 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2203 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2202 and lower | 8.1.12 8.2.9 9.0.2203 | Search Search Search | Cuong Dong at Splunk | |||||
SVD-2022-1104 | 2022-11-02 | 2022-11-02 | Denial of Service in Splunk Enterprise through search macros | Medium | CVE-2022-43564 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 4.9, Medium | CWE-400 | SPL-220964 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2205 | REST API REST API REST API | ||||||
SVD-2022-1103 | 2022-11-02 | 2022-11-11 | Risky command safeguards bypass via 'rex' search command field names in Splunk Enterprise | High | CVE-2022-43563 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1, High | CWE-20 | SPL-223646 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2203 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2202 and lower | 8.1.12 8.2.9 9.0.2203 | Search Search Search | Cuong Dong at Splunk | |||||
SVD-2022-1102 | 2022-11-02 | 2022-11-02 | Host Header Injection in Splunk Enterprise | Low | CVE-2022-43562 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N | 3.0, Low | CWE-20 | SPL-224156 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Ali Mirheidari at Splunk | |||||
SVD-2022-1101 | 2022-11-02 | 2022-11-02 | Persistent Cross-Site Scripting in “Save Table” Dialog in Splunk Enterprise | Medium | CVE-2022-43561 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H | 6.4, Medium | CWE-79 | SPL-207040 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.7=8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Mr Hack (try_to_hack) | |||||
SVD-2022-1114 | 2022-11-01 | 2022-11-01 | Splunk’s response to OpenSSL’s CVE-2022-3602 and CVE-2022-3786 | High | Splunk Enterprise Universal Forwarders Splunk Cloud Platform Splunk Observatibility Platform SOAR Cloud SOAR SOAR Automation Broker Enterprise Security Splunk Security Essentials IT Service Intelligence Splunk UBA Data Stream Processor Splunk Addon for Active Directory Splunk Addon for Add-on for Infrastructure Splunk Addon for Add-on for Microsoft Exchange Splunk Addon for Add-on for VMware Splunk Addon for Amazon Kinesis Firehose Splunk Addon for Amazon Web Services Splunk Addon for Apache Web Server Splunk Addon for Bit9 Carbon Black Splunk Addon for Blue Coat ProxySG Splunk Addon for BMC Remedy Splunk Addon for Box Splunk Addon for Bromium Splunk Addon for Check Point OPSEC LEA Splunk Addon for Cisco ASA Splunk Addon for Cisco ESA Splunk Addon for Cisco FireSIGHT Splunk Addon for Cisco Identity Services Splunk Addon for Cisco UCS Splunk Addon for Citrix NetScaler Splunk Addon for CyberArk Splunk Addon for F5 BIG-IP Splunk Addon for Forcepoint Web Security Splunk Addon for Google Cloud Platform Splunk Addon for HAProxy Splunk Addon for IBM WebSphere Application Server Splunk Addon for Imperva SecureSphere WAF Splunk Addon for Infoblox Splunk Addon for ISC BIND Splunk Addon for ISC DHCP Splunk Addon for Java Management Extensions Splunk Addon for JBoss Splunk Addon for Juniper Splunk Addon for Kafka Splunk Addon for Linux Splunk Addon for McAfee Splunk Addon for McAfee Web Gateway Splunk Addon for Microsoft Cloud Services Splunk Addon for Microsoft Hyper-V Splunk Addon for Microsoft IIS Splunk Addon for Microsoft Office 365 Splunk Addon for Microsoft SQL Server Splunk Addon for Microsoft Windows Splunk Addon for MySQL Splunk Addon for Nagios Core Splunk Addon for NGINX Splunk Addon for OPC Splunk Addon for Oracle Database Splunk Addon for OSSEC Splunk Addon for RSA DLP Splunk Addon for RSA SecurID Splunk Addon for Salesforce Splunk Addon for ServiceNow Splunk Addon for Sophos Splunk Addon for Squid Proxy Splunk Addon for Stream Addon for Wire Data Splunk Addon for Symantec DLP Splunk Addon for Symantec Endpoint Protection Splunk Addon for Tomcat Splunk Addon for Unix and Linux Splunk Addon for Websense DLP Splunk Addon for Zeek Splunk App for AWS Splunk App for Common Information Model (CIM) Splunk App for DB Connect Splunk App for DB Connect - Older Unsupported versions Splunk App for Info Sec Splunk App for InfoSec App for Splunk Splunk App for Infrastructure Splunk App for IT Essentials Learn Splunk App for IT Essentials Work Splunk App for Machine Learning Toolkit (MLTK) and Python for Scientific Computing (PSC) Splunk App for Microsoft Exchange Splunk App for NetApp Data ONTAP Splunk App for PCI Compliance Splunk App for Security Essentials Splunk App for Splunk Product Guidance Splunk App for Stream Splunk App for Unix and Linux Splunk App for VMware Splunk App for Windows Splunk App for Windows Infrastructure Splunk Add-on Builder Splunk AppInspect Splunk SDKs Splunk Logging Library for Java Security Analytics for AWS Splunk Add-on for VMware Metrics Splunk App for Content Packs Splunk App for Infrastructure (SAI) Splunk App for Mint Splunk Application Performance Monitoring Splunk Assist Splunk Augmented Reality Splunk Cloud Data Manager (SCDM) Splunk Cloud Developer Edition Splunk Connect for Kafka Splunk Connect for Kubernetes Splunk Connect for Kubernetes-OpenTelemetry Splunk Connect for SNMP Splunk Connect for Syslog Splunk DB TA LAR Splunk Edge Hub Splunk Enterprise Amazon Machine Image (AMI) Splunk Enterprise Docker Container Splunk Infrastructure Monitoring Splunk Log Observer Splunk Mint Android SDK Splunk Mint IOS SDK Splunk Mint Management console Splunk Mobile Splunk Network Performance Monitoring Splunk On-Call/Victor Ops/SSA Splunk OVA for VMware Splunk OVA for VMWare Metrics Splunk Profiling Splunk Real User Monitoring Splunk Secure Gateway Behavioral Analytics Splunk Stream Forwarder Splunk Synthetics Splunk TV Splunk UBA OVA Software Splunk VMWare OVA for ITSI | | Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected | | | CVE-2022-3602 - OpenSSL - NA - High - CVE-2022-3786 - OpenSSL - NA - High - | ||||||||||
SVD-2022-0804 | 2022-08-16 | 2023-03-08 | August Third Party Package updates in Splunk Enterprise and Universal Forwarders | Medium | Universal Forwarder 8.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.11 8.2.7.1 9.0.1 8.1.11 8.2.7.1 9.0.1 9.0.2205 | 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.2.2203.4 and lower | 8.1.11 8.2.7.1 9.0.1 8.1.11 8.2.7.1 9.0.1 9.0.2205 | - - - - - - - | CVE-2022-2068 - OpenSSL1.0.2 - Upgraded to OpenSSL 1.0.2zf - Informational - CVE-2021-3541 - libxml2 - Applied patch - Medium - CVE-2022-29824 - libxml2 - Applied patch - Medium - CVE-2022-23308 - libxml2 - Applied patch - Informational - | ||||||||||
SVD-2022-0803 | 2022-08-16 | 2022-08-16 | Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring input | Medium | CVE-2022-37439 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 5.5 | CWE-409 | TBD | Universal Forwarder 8.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.11 8.2.7.1 - 8.1.11 8.2.7.1 - | 8.1.10 and lower 8.2.0 to 8.2.7 Not affected 8.1.10 and lower 8.2.0 to 8.2.7 Not affected | 8.1.11 8.2.7.1 - 8.1.11 8.2.7.1 - | Monitor Processor Monitor Processor - Monitor Processor Monitor Processor - | Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC) | |||||
SVD-2022-0802 | 2022-08-16 | 2022-08-16 | Information disclosure via the dashboard drilldown in Splunk Enterprise | Low | CVE-2022-37438 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N | 2.6 | CWE-200 | SPL-221531 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.11 8.2.7.1 9.0.1 9.0.2205 | 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.2.2203.4 and lower | 8.1.11 8.2.7.1 9.0.1 9.0.2205 | Splunk Web Splunk Web Splunk Web Splunk Web | Eric LaMothe at Splunk | |||||
SVD-2022-0801 | 2022-08-16 | 2022-08-16 | Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation | High | CVE-2022-37437 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-224209 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | - - 9.0.1 | Not affected Not affected 9.0.0 | - - 9.0.1 | - - Ingest Actions | Eric LaMothe at Splunk Ali Mirheidari at Splunk | |||||
SVD-2022-0608 | 2022-08-16 | 2022-07-18 | Splunk Enterprise deployment servers allow client publishing of forwarder bundles | Critical | CVE-2022-32158 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.0 | CWE-284 | SPL-176829 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.10.1 8.2.6.1 - | Versions before 8.1.10.1 8.2.0 to 8.2.6 Not affected | 8.1.10.1 8.2.6.1 - | Deployment Server Deployment Server - | Nadim Taha at Splunk | |||||
SVD-2022-0607 | 2022-08-16 | 2022-07-18 | Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloads | High | CVE-2022-32157 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 7.5 | CWE-306 | SPL-176828 | Splunk Enterprise 9.0 | 9.0.0 | Versions before 9.0 | 9.0.0 | Deployment Server | Nadim Taha at Splunk Paul Schultze at E.ON Digital Technology GmbH Martin Müller at Consist | |||||
SVD-2022-0606 | 2022-06-14 | 2022-07-18 | Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validation | High | CVE-2022-32156 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-49451 | Splunk Enterprise 9.0 Universal Forwarder 9.0 | 9.0.0 9.0.0 | Versions before 9.0 Versions before 9.0 | 9.0.0 9.0.0 | - - | Chris Green at Splunk | |||||
SVD-2022-0605 | 2022-06-14 | 2022-06-14 | Universal Forwarder management services allow remote login by default | Info | CVE-2022-32155 | - | - | - | SPL-140396 | Universal Forwarder 9.0 | 9.0.0 | Versions before 9.0 | 9.0.0 | - | Chris Green at Splunk | |||||
SVD-2022-0604 | 2022-06-14 | 2022-07-18 | Risky commands warnings in Splunk Enterprise dashboards | Medium | CVE-2022-32154 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | 6.8 | CWE-20 | SPL-201816 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.1.2106 | Versions before 9.0 Versions before 8.1.2106 | 9.0.0 8.1.2106 | - - | Chris Green at Splunk Danylo Dmytriiev (DDV_UA) Anton (therceman) | |||||
SVD-2022-0603 | 2022-06-14 | 2022-07-18 | Splunk Enterprise lacked TLS host name certificate validation | High | CVE-2022-32153 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-297 | SPL-202894 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
SVD-2022-0602 | 2022-06-14 | 2022-07-18 | Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by default | High | CVE-2022-32152 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-295 | SPL-114067, SPL-138957 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
SVD-2022-0601 | 2022-06-14 | 2022-07-18 | Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by default | High | CVE-2022-32151 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-173641, SPL-129677 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
SVD-2022-0507 | 2022-05-03 | 2022-05-03 | Error message discloses internal path | Medium | CVE-2022-26070 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-200 | SPL-180503 | Splunk Enterprise 8.1 | 8.1.0 | Versions below 8.1 | 8.1.0 | Splunk Web | Dipak Prajapati (Lethal) | |||||
SVD-2022-0506 | 2022-05-03 | 2022-05-03 | Path Traversal in search parameter results in external content injection | High | CVE-2022-26889 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8 | CWE-20 | SPL-197247 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.2 - | 8.1.1 and earlier Not affected | 8.1.2 - | Splunk Web - | Jason Tsang Mui Chung | |||||
SVD-2022-0505 | 2022-05-03 | 2022-05-03 | Reflected XSS in a query parameter of the Monitoring Console | High | CVE-2022-27183 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8 | CWE-79 | SPL-201205 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.4 - | 8.1.3 and earlier Not affected | 8.1.4 - | Splunk Monitoring Console - | Danylo Dmytriiev (DDV_UA) | |||||
SVD-2022-0504 | 2022-05-03 | 2022-05-03 | Bypass of Splunk Enterprise's implementation of DUO MFA | High | CVE-2021-26253 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-287 | SPL-172887 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.6 - | 8.1.5 and earlier Not affected | 8.1.6 - | - - | Sanket Bhimani | |||||
SVD-2022-0503 | 2022-05-03 | 2022-05-03 | S2S TcpToken authentication bypass | High | CVE-2021-31559 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 7.5 | CWE-288 | SPL-203370 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.5 8.2.1 | 8.1.4 and earlier 8.2.0 | 8.1.5 8.2.1 | - - | Chris Samley at GE | |||||
SVD-2022-0502 | 2022-05-03 | 2022-05-03 | Username enumeration through lockout message in REST API | Medium | CVE-2021-33845 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 5.3 | CWE-203 | SPL-194168 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.7 - | 8.1.6 and earlier Not affected | 8.1.7 - | - - | Kyle Bambrick at Splunk | |||||
SVD-2022-0501 | 2022-05-03 | 2022-05-03 | Local privilege escalation via a default path in Splunk Enterprise Windows | High | CVE-2021-42743 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.8 | CWE-427 | SPL-195186 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.1 - | 8.1.0 and earlier Not affected | 8.1.1 - | - - | ||||||
SVD-2022-0301 | 2022-03-24 | 2022-05-03 | Indexer denial-of-service via malformed S2S request | High | CVE-2021-3422 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 | CWE-125 | SPL-198396 | Splunk Enterprise 7.3 Splunk Enterprise 8.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 7.3.9 8.0.9 8.1.3 - | 7.3.8 and earlier 8.0.0 to 8.0.8 8.1.0 to 8.1.2 Not affected | 7.3.9 8.0.9 8.1.3 - | - - - - | Sharon Brizinov and Tal Keren of Claroty | |||||
SVD-2021-1201 | 2021-12-10 | 2022-01-07 | Splunk Security Advisory for Apache Log4j (CVE-2021-44228, CVE-2021-45046 and others) | Critical | CVE-2021-44228 - - - - CVE-2021-45046 - - - - | |||||||||||||||
SP-CAAAQAF | 2019-02-19 | 2019-02-19 | Persistent Cross Site Scripting in Splunk Web (SPL-138827, CVE-2019-5727) | High | - | 7.3 | - | SPL-138827 | ||||||||||||
SP-CAAAQAD | 2019-01-14 | 2019-01-14 | Untrusted TLS server certs verification is not present (CVE-2019-5729) | High | - | - | - | - | ||||||||||||
SP-CAAAP5T | 2018-09-28 | 2018-09-28 | Splunk Enterprise and Splunk Light address multiple vulnerabilities | High | - | - | - | - | ||||||||||||
SP-CAAAP5E | 2018-06-18 | 2018-06-18 | Splunk response to CVE-2018-11409: Information Exposure | Low | - | - | - | - | ||||||||||||
SP-CAAAPUE | 2017-12-15 | 2016-12-22 | Splunk Enterprise 6.4.5 addresses multiple vulnerabilities | - | - | - | - | SPL-129207, SPL-128812 | ||||||||||||
SP-CAAAP3M | 2017-11-27 | 2017-11-27 | Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user | High | - | - | - | - | ||||||||||||
SP-CAAAP3K | 2017-11-14 | 2017-11-14 | Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilitiesSplunk Enterprise and Splunk Light address multiple vulnerabilities | Critical | - | - | - | - | ||||||||||||
SP-CAAAP3H | 2017-08-21 | 2017-08-21 | Splunk Enterprise 6.6.3 and Splunk Light 6.6.3 address multiple vulnerabilities | High | - | - | - | - | ||||||||||||
SP-CAAAP2U | 2017-06-06 | 2017-07-24 | Splunk Enterprise 6.3.11 and Splunk Light 6.5.3 address one vulnerability | Low | - | - | - | SPL-135602 | ||||||||||||
SP-CAAAPZ3 | 2017-05-05 | 2017-05-12 | Splunk Enterprise 6.5.3, 6.2.13.1 and Splunk Light 6.5.2 address multiple vulnerabilities | Medium | - | - | - | - | ||||||||||||
ERP-2041 | 2017-05-05 | 2017-05-12 | Splunk response to Path Traversal vulnerability in Splunk Hadoop Connect App | High | - | - | - | - | ||||||||||||
SP-CAAAP2K | 2017-03-24 | 2017-03-24 | Splunk Enterprise 6.4.7 and Splunk Light 6.5.3 address multiple vulnerabilities | Medium | - | - | - | SPL-135650, SPL-137327, SPL-135341 | ||||||||||||
SP-CAAAPYC | 2017-02-23 | 2017-08-07 | Splunk Enterprise 6.4.6 and Splunk Light 6.5.2 address one vulnerability | Medium | - | - | - | - | ||||||||||||
SP-CAAAPW8 | 2017-01-25 | 2017-01-25 | Splunk Enterprise 6.2.13 addresses multiple vulnerabilities | Medium | - | - | - | SPL-130721, SPL-130279 | ||||||||||||
SP-CAAAPSV | 2016-11-12 | 2016-12-22 | Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities | - | - | - | - | - | ||||||||||||
SP-CAAAPSR | 2016-11-10 | 2017-06-06 | Splunk Enterprise 6.5.0, 6.4.4, 6.3.8, 6.2.12, 6.1.12, 6.0.13, and 5.0.17 address multiple vulnerabilitiess | - | - | - | - | - | ||||||||||||
SP-CAAAPQ6 | 2016-08-22 | 2016-08-22 | Splunk Enterprise 6.4.3 and Splunk Light 6.4.3 address one vulnerability | Medium | - | - | - | SPL-117212 | ||||||||||||
SP-CAAAPQM | 2016-07-28 | 2016-07-28 | Splunk Enterprise 6.4.2, 6.3.6, 6.2.11, 6.1.11, 6.0.12, 5.0.16 and Splunk Light 6.4.2 address multiple security vulnerabilities | Medium | - | - | - | - | ||||||||||||
SP-CAAAPN9 | 2016-06-06 | 2016-06-06 | Splunk Enterprise 6.3.5 and Splunk Light 6.3.5 address two vulnerabilities | Medium | - | - | - | - | ||||||||||||
SP-CAAAPKV | 2016-04-06 | 2016-04-06 | Splunk Enterprise 6.3.3.4, 6.2.9. 6.1.10, 6.0.11, and 5.0.15 and Splunk Light 6.3.3.4 and 6.2.9 address multiple vulnerabilities | Medium | - | - | - | - | ||||||||||||
SP-CAAAPC3 | 2015-11-19 | 2015-11-19 | Splunk response to Path Traversal vulnerability in Splunk Hadoop Connect App | Medium | - | - | - | SPL-106324 | ||||||||||||
SP-CAAAPAM | 2015-09-14 | 2015-09-14 | Splunk 4.2.3 addresses two vulnerabilities | High | - | - | - | SPL-104724 | ||||||||||||
SP-CAAAN7C | 2015-07-07 | 2015-07-07 | Splunk Enterprise 6.2.4 and Splunk Light 6.2.4 address two vulnerabilities | Medium | - | - | - | SPL-101718, SPL-100313 | ||||||||||||
SP-CAAAN4P | 2015-05-27 | 2015-05-27 | Splunk Enterprise 6.1.8, 6.0.9, and 5.0.13 address multiple vulnerabilities | Low | - | 2.6 | - | SPL-98351 | ||||||||||||
SP-CAAAN84 | 2015-05-11 | 2015-10-07 | Splunk Enterprise 6.2.5, 6.1.9, 6.0.10, 5.0.14 and Splunk Light 6.2.5 address multiple vulnerabilities | Medium | - | - | - | SPL-102133, SPL-103044 | ||||||||||||
SP-CAAANZ7 | 2015-04-30 | 2015-08-13 | Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities | High | - | - | - | SPL-98531, SPL-96280, SPL-95798, SPL-95594 | ||||||||||||
SP-CAAANXD | 2015-03-24 | 2015-03-24 | Splunk Enterprise 6.2.2 addresses two vulnerabilities | Medium | - | - | - | SPL-95206, SPL-95205, SPL-95204, SPL-97914, SPL-91660 | ||||||||||||
SP-CAAANV8 | 2015-02-23 | 2015-02-23 | Splunk Enterprise 6.2.2 addresses two vulnerabilities | High | - | - | - | SPL-95203, SPL-93754 | ||||||||||||
SP-CAAANVJ | 2015-01-28 | 2015-01-29 | Splunk response to "GHOST" Vulnerability (CVE-2015-0235) | High | - | - | - | - | ||||||||||||
SP-CAAANU5 | 2015-01-28 | 2015-01-29 | Splunk response to January 2015 OpenSSL vulnerabilities | High | - | - | - | - | ||||||||||||
SP-CAAANST | 2014-11-19 | 2014-11-19 | Splunk Enterprise versions 6.0.7 and 5.0.11 address three vulnerabilities | - | - | - | SPL-91947, SPL-92062, SPL-89216 | |||||||||||||
SP-CAAANR7 | 2014-11-11 | 2014-11-11 | Splunk Enterprise 6.1.5 addresses two vulnerabilities | - | 4.3 | - | SPL-91948, SPL-92061 | |||||||||||||
SP-CAAANKE | 2014-10-14 | 2014-12-23 | Splunk response to SSLv3 "POODLE" vulnerability (CVE-2014-3566) | - | 5.4 | - | - | |||||||||||||
SP-CAAANHS | 2014-09-30 | 2014-11-20 | Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities | - | - | - | SPL-88585, SPL-88587, SPL-88588, SPL-89216, SPL-85579, SPL-85360 | |||||||||||||
SP-CAAANJN | 2014-09-29 | 2014-09-30 | Splunk response to "shellshock" vulnerabilities | - | - | - | - | |||||||||||||
SP-CAAANE2 | 2014-09-03 | 2014-09-24 | Splunk Enterprise 6.0.6 addresses two vulnerabilities | - | - | - | SPL-88587, SPL-85360 | |||||||||||||
SP-CAAAM9H | 2014-08-04 | 2014-08-04 | Splunk Enterprise 6.1.3 addresses two vulnerabilities | - | - | - | SPL-85595, SPL-84887 | |||||||||||||
SP-CAAAM2D | 2014-07-01 | 2014-07-01 | Splunk 6.0.3 addresses two vulnerabilities | - | - | - | SPL-85063, SPL-85063 | |||||||||||||
SP-CAAAMSH | 2014-05-09 | 2014-05-14 | Splunk Enterprise 6.0.4 addresses one vulnerability | - | 3.5 | - | SPL-79922 | |||||||||||||
SP-CAAAMB3 | 2014-04-10 | Splunk 6.0.3 addresses two vulnerabilities | - | - | - | - | ||||||||||||||
SP-CAAAKQX | 2014-03-28 | 2014-03-28 | Splunk 5.0.8 addresses one vulnerability | - | 3.5 | - | SPL-74017 | |||||||||||||
SP-CAAAJD5 | 2013-12-17 | 2014-03-25 | Splunk 6.0.1 addresses one vulnerability | - | 7.8 | - | SPL-75668 | |||||||||||||
SP-CAAAJCD | 2013-11-15 | 2013-12-17 | Splunk 5.0.6 addresses one vulnerability | - | 3.5 | - | SPL-74327 | |||||||||||||
SP-CAAAH76 | 2013-09-23 | 2014-03-10 | Splunk 5.0.5 addresses one vulnerability | - | - | - | SPL-70250 | |||||||||||||
SP-CAAAH32 | 2013-07-29 | 2013-07-29 | Splunk 5.0.4 addresses one vulnerability | - | 1 | - | SPL-65987 | |||||||||||||
SP-CAAAHXG | 2013-05-28 | 2013-05-28 | Splunk 5.0.3 addresses multiple vulnerabilities | - | - | - | SPL-59895, SPL-60250, SPL-61546 | |||||||||||||
SP-CAAAHSQ | 2013-04-20 | 2013-04-20 | Splunk 4.3.6 addresses one vulnerability | - | 4.0 | - | SPL-60629 | |||||||||||||
SP-CAAAHB4 | 2012-11-16 | 2012-11-16 | Splunk 4.3.5 and 5.0 address three vulnerabilities | - | - | - | SPL-50671, SPL-5515, SPL-55521 | |||||||||||||
SP-CAAAHDG | 2012-11-01 | 2012-11-01 | Splunk 5.0 updates to python 2.7.3, addressing two vulnerabilities | - | - | - | - | |||||||||||||
SP-CAAAGTK | 2012-03-05 | 2012-03-26 | Splunk 4.3.1 addresses one vulnerability | - | - | - | SPL-38585 | |||||||||||||
SP-CAAAGMM | 2011-12-12 | 2011-12-20 | Splunk 4.2.5 addresses three vulnerabilities | - | - | - | SPL-44614, SPL-45172, SPL-45243 | |||||||||||||
SP-CAAAGGH | 2011-10-19 | 2011-10-19 | Splunk 4.2.4 addresses two vulnerabilities | - | - | - | SPL-42471, SPL-42474 | |||||||||||||
SP-CAAAGD3 | 2011-08-09 | 2011-08-09 | Splunk 4.2.3 addresses two vulnerabilities | - | - | - | SPL-40804, SPL-40645 | |||||||||||||
SP-CAAAF72 | 2011-06-15 | 2011-06-15 | Open Redirect in Splunk Web | - | 3.6 | - | SPL-38704 | |||||||||||||
SP-CAAAF5K | 2011-04-18 | 2011-04-18 | Reflected XSS with Splunk Web | - | 6.0 | - | SPL-38585 | |||||||||||||
SP-CAAAFW6 | 2011-02-10 | 2011-2-10 | Splunk 4.1.7 addresses five security vulnerabilities | - | - | - | SPL-34355, SPL-35709, SPL-35710, SPL-37226, SPL-37227 | |||||||||||||
SP-CAAAFVU | 2010-12-01 | 2010-12-01 | Splunk 4.1.6 updates OpenSSL to 0.9.8p address CVE-2010-3864 | - | - | - | - | |||||||||||||
SP-CAAAFQ6 | 2010-09-09 | 2010-09-09 | Splunk 4.1.5 addresses two security vulnerabilities | - | - | - | SPL-31061, SPL-31094 | |||||||||||||
SP-CAAAFHY | 2010-06-07 | 2010-06-07 | Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer | - | 4 | - | - | |||||||||||||
SP-CAAAFGS | 2010-05-10 | 2010-05-10 | Vulnerability in example PAM authentication script | - | - | - | - | |||||||||||||
SP-CAAAFGD | 2010-05-03 | 2010-05-03 | Splunk Critical Maintenance Release and Patch | - | - | - | SPL-31194, SPL-31063, SPL-31067, SPL-31084, SPL-31084, SPL-31085, SPL-31066 |