Splunk Security Advisories and Third Party Bulletins

This page lists announcements of Splunk Security Advisories and Third Party Bulletins. For all Advisories, Announcements, and Bulletins, see the Security Advisories list.

 

Security Advisories

Security Advisories are collections of disclosures and security fixes for supported versions of Splunk products. Splunk publishes Security Advisories to alert customers to security issues in Splunk products that Splunk has remedied. Splunk makes advisories available for versions of Splunk products that it supports at the time of disclosure through ongoing cloud or on-premises maintenance releases. When Splunk cannot backport a patch due to technical feasibility or otherwise, it publishes mitigations and additional compensating control guidance.

Splunk publishes Security Advisories alongside corresponding product releases. Splunk encourages customers to add its Really Simple Syndication (RSS) feed to their RSS reader to receive a notification when Splunk publishes the advisories.

show filters & options


SVDDateLast ModifiedTitleSeverityCVECVSS VectorCVSS ScoreCWEBugAffected ProductsFixed VersionsAffected VersionsAll Affected VersionsAffected ComponentsDescriptionSolutionMitigationsSeverity SummaryOSSCredit
SVD-2024-01112024-01-302024-01-30 Sensitive Information Disclosure to Internal Log Files in Splunk Add-on BuilderHigh CVE-2023-46230CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L8.2CWE-532ADDON-63640 Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
Add-on Builder
In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events.N/ASplunk rates this vulnerability as a 8.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L. Vikram Ashtaputre, Splunk
SVD-2024-01102024-01-302024-01-30 Session Token Disclosure to Internal Log Files in Splunk Add-on BuilderHigh CVE-2023-46231CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H8.8CWE-532ADDON-63902 Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
Add-on Builder
In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events.N/ASplunk rates this vulnerability as a 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Vikram Ashtaputre, Splunk
SVD-2024-01082024-01-222024-01-30 Deserialization of Untrusted Data on Splunk Enterprise for Windows through Path Traversal from Separate Disk PartitionHigh CVE-2024-23678CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H7.5CWE-20SPL-240674 Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.8
9.1.3
9.0.0 to 9.0.7
9.1.0 to 9.1.2
9.0.8
9.1.3
Splunk Web
Splunk Web
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.Upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.<br><br>This vulnerability does not affect Splunk Cloud Platform.If users do not log in to Splunk Web on instances in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br>Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.<br><br>If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-01072024-01-222024-01-22 Server Response Disclosure in RapidDiag Salesforce.com Log FileMedium CVE-2024-23677CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-532SPL-225757 Splunk Enterprise 9.0
Splunk Cloud -
9.0.8
9.0.2208
9.0.0 to 9.0.7
Versions below 9.0.2208
9.0.8
9.0.2208
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses to an external application upload request in a log file. The log files might contain sensitive information.Upgrade Splunk Enterprise to 9.0.8 or higher. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.N/ASplunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Vikram Ashtaputre, Splunk
SVD-2024-01062024-01-222024-01-23 Sensitive Information Disclosure of Index Metrics through “mrollup” SPL CommandMedium CVE-2024-23676CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N4.6CWE-20SPL-245947 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.8
9.1.3
9.1.2308.200
9.0.0 to 9.0.7
9.1.0 to 9.1.2
Versions below 9.1.2308.200
9.0.8
9.1.3
9.1.2308.200
Splunk Web
Splunk Web
Splunk Web
In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit. See [Splunk Enterprise Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) for information on Metrics.Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br><br>If users do not need access to metrics indexes, remove authorization to search those indexes. See [About configuring role-based user access](https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles) for information on how to configure role-based user access.Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. Anton (therceman)
SVD-2024-01052024-01-222024-01-30 Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection DeletionMedium CVE-2024-23675CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N6.5CWE-284SPL-246067 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.8
9.1.3
9.1.2312.100
9.0.0 to 9.0.7
9.1.0 to 9.1.2
Versions below 9.1.2312.100
9.0.8
9.1.3
9.1.2312.100
Splunk REST API
Splunk REST API
Splunk REST API
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Remove the `list_all_objects` capability from users that do not require it. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) for more information. If you are not using KV Store, you can disable it. See [Disable the KV store](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) for more information. Note: removing the list_all_objects capability may significantly impair user functionality.Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. Julian Kaufmann
SVD-2024-01022024-01-092024-01-10 Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creationMedium CVE-2024-22165CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-20SOLNESS-35977 Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users.Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher.N/ASplunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Eric LaMothe, Splunk
SVD-2024-01012024-01-092024-01-10 Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachmentsMedium CVE-2024-22164CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L4.3CWE-400SOLNESS-35980 Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the investigation. The attachment endpoint does not properly limit the size of the request, which lets an attacker cause the investigation to become inaccessible.<br>The vulnerability requires the authenticated, collaborator access to the Investigation and only affects the availability of an affected Investigation.Upgrade Splunk Enterprise Security (ES) to versions 7.1.2, 7.2.0, 7.3.0 or higher.N/ASplunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. Vikram Ashtaputre, Splunk
SVD-2023-11042023-11-162023-12-12 Remote code execution (RCE) in Splunk Enterprise through Insecure XML ParsingHigh CVE-2023-46214CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H8.0CWE-91SPL-241695 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.7
9.1.2
9.1.2308
9.0.0 to 9.0.6
9.1.0 to 9.1.1
Versions below 9.1.2308
9.0.7
9.1.2
9.1.2308
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If you cannot upgrade, limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input.<br><br>Edit the `web.conf` configuration file and add the following configuration on instances where you want to limit the ability of search job requests to accept XSL:<br><br>`[settings]`<br>`enableSearchJobXslt = false`<br><br>For more information on modifying the web.conf configuration file, see [How to edit a configuration file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification. For earlier Splunk Enterprise versions, review the web.conf specification for availability of the `enableSearchJobXslt` setting.Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. Alex Hordijk
SVD-2023-11032023-11-162023-11-20 Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search PageMedium CVE-2023-46213CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N4.8CWE-79VULN-5768 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.7
9.1.2
9.1.2308
9.0.0 to 9.0.6
9.1.0 to 9.1.1
Versions below 9.1.2308
9.0.7
9.1.2
9.1.2308
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.<br><br>This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way.Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web.<br>Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N<br>If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational. Joshua Neubecker
SVD-2023-08102023-08-302023-09-29 Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)High CVE-2023-4571CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117ITSI-31707 Splunk ITSI 4.13
Splunk ITSI 4.15
Splunk ITSI 4.17
4.13.3
4.15.3
4.17.1
4.13.0 to 4.13.2
4.15.0 to 4.15.2
4.17.0
4.13.3
4.15.3
4.17.1
-
-
-
In Splunk IT Service Intelligence (ITSI) versions below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.For Splunk ITSI, upgrade to version 4.13.3, 4.15.3, or 4.17.1. Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch/<session_id>/itsi_search.log. On Windows ITSI instances, the log files are in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\<session_id>\itsi_search.log.As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: * the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).” The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-08072023-08-302023-10-18 Command Injection in Splunk Enterprise Using External LookupsHigh CVE-2023-40598CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H8.5CWE-77SPL-230071 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated `runshellscript` command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively upgrading and monitoring Splunk Cloud deployments.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-08062023-08-302023-10-18 Absolute Path Traversal in Splunk Enterprise Using runshellscript.pyHigh CVE-2023-40597CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H7.8CWE-36VULN-5304 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.<br><br>The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.<br><br>The exploit requires the attacker to have write access to the drive on which they place the exploit script.<br>This vulnerability only affects Splunk Enterprise Instances that run on Windows.Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1. <br><br>This vulnerability does not affect Splunk Cloud Platform instances.No mitigationsSplunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. <br><br>This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational. Danylo Dmytriiev (DDV_UA)
SVD-2023-08052023-08-302023-08-30 Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLLHigh CVE-2023-40596CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.0CWE-665VULN-4474 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine. As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform.Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review [Harden Your Windows Installation](https://docs.splunk.com/Documentation/Splunk/latest/Security/HardenyourWindowsinstallation).Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. Will Dormann, Vul Labs
SVD-2023-08042023-08-302023-10-18 Remote Code Execution via Serialized Session PayloadHigh CVE-2023-40595CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-502PRODSECOPS-25334 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.<br><br>The exploit requires the use of the `collect` SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. Danylo Dmytriiev (DDV_UA)
SVD-2023-08032023-08-302023-10-18 Denial of Service (DoS) via the ‘printf’ Search FunctionMedium CVE-2023-40594CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H6.5CWE-400SPL-235294 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2303.100
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2209 and lower
8.2.12
9.0.6
9.1.1
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.<br><br>The `printf` function does not properly validate expressions in certain cases in combination with commands like `fieldformat` that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Danylo Dmytriiev (DDV_UA)
SVD-2023-08022023-08-302023-10-18 Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML RequestMedium CVE-2023-40593CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H6.3CWE-400SPL-219455 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud -
8.2.12
9.0.6
9.0.2205
8.2.0 to 8.2.11
9.0.0 to 9.0.5
8.2.2203
8.2.12
9.0.6
9.0.2205
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.<br><br>The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation.Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. <br><br>If your Splunk Enterprise Instance does not use SAML as an authentication scheme for SSO, it is not affected and this vulnerability can be considered informational. Aaron Devaney (Dodekeract)
SVD-2023-08012023-08-302023-10-18 Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpointHigh CVE-2023-40592CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H8.4CWE-79VULN-5287 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.<br><br>A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Danylo Dmytriiev (DDV_UA)
SVD-2023-07022023-07-312023-10-18 Unauthenticated Log Injection In Splunk SOARHigh CVE-2023-3997CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117SPL-241869 Splunk SOAR (On-premises)
Splunk SOAR (Cloud)
6.1.0
6.1.0
6.0.2 and lower
6.0.2 and lower
6.1.0
6.1.0
SOAR
SOAR
In Splunk SOAR versions lower than 6.1.0, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code. This vulnerability does not directly affect Splunk SOAR, only indirectly through the permissions in the user’s terminal. The indirect impact on Splunk SOAR can vary significantly depending on the permissions in the vulnerable terminal application and where and how the terminal user reads the malicious log file. For example, a terminal user can unknowingly copy the malicious file from the Splunk SOAR instance and read it on their local machine. In this case, that local machine would be affected.Splunk SOAR (On-premises): Upgrade to version 6.1.0. Splunk SOAR (Cloud): No action is required. Splunk is actively patching and monitoring the Splunk SOAR (Cloud) instances.If it is not currently practical to upgrade to Splunk SOAR version 6.1.0, you can partially mitigate the risk. As a partial, general mitigation, you can protect Splunk SOAR users from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or by using a terminal application that supports the filtering of ANSI codes.Splunk rates this vulnerability as High, 8.6, with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk SOAR instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector”. In most vulnerabilities that Splunk rates, the vector would align with CVSS metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: *“The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”* The attack mirrors this qualification, requiring another user to open a malicious document, for example, the injected log file. Because of this, Splunk rated this Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** This vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting this vulnerability. **Privileges Required:** This vulnerability does not require additional privileges and occurs through an unauthenticated web request to Splunk SOAR. **User Interaction:** This vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** This vulnerability does not affect Splunk SOAR directly, only indirectly through the authorized permissions in the user’s terminal. This vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, this vulnerability qualifies for a Change in Scope, as defined by the CVSS standard. **Confidentiality/Integrity/Availability:** This vulnerability enables potential remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for Confidentiality, Integrity and Availability. The indirect impact on Splunk SOAR might vary significantly depending on how the terminal user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-06122023-06-012023-06-01 Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search ResultsMedium CVE-2023-32717CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-237454 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An unauthorized user can access the '/services/indexing/preview' REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the 'edit_monitor' and 'edit_upload_and_index' capabilities assigned to it.For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.Remove the 'edit_monitor' and 'edit_upload_and_index' capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them.Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Scott Calvert, Splunk
SVD-2023-06112023-06-012023-06-01 Denial of Service via the 'dump' SPL commandMedium CVE-2023-32716CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-754SPL-235572 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An attacker can exploit a vulnerability in the 'dump' SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance.For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.Remove the 'run_dump' capability from any roles that users hold.Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-06102023-06-012023-06-01 Self Cross-Site Scripting (XSS) on Splunk App for Lookup File EditingMedium CVE-2023-32715CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N4.7CWE-79LOOKUP-176 Splunk App for Lookup File Editing 4.0
4.0.1
4.0 and lower
4.0.1

A user can insert potentially malicious JavaScript code into the Splunk App for Lookup File Editing, which causes the code to run on the user’s machine.Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher.Disable the Splunk App for Lookup File Editing if you do not require it and cannot upgrade it. If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web.Splunk rated this vulnerability as Medium, 4.7, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N.
SVD-2023-06092023-06-012023-06-01 Information Disclosure via the ‘copyresults’ SPL CommandMedium CVE-2023-32710CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N4.8CWE-200SPL-234996 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and lower
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/ASplunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. Anton (therceman)
SVD-2023-06082023-06-012023-06-01 Path Traversal in Splunk App for Lookup File EditingHigh CVE-2023-32714CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N8.1CWE-35LOOKUP-177 Splunk App for Lookup File Editing 4.0
4.0.1
4.0 and lower
4.0.1

A low-privileged user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher.N/ASplunk rated the vulnerability as High, 8.1, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. Torjus Bryne Retterstøl, Binary Security
SVD-2023-06072023-06-012023-06-01 Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for StreamHigh CVE-2023-32713CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H7.8CWE-269STREAM-5290 Splunk App for Stream 8.1
8.1.1
8.1 and lower
8.1.1
streamfwd
A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.Upgrade the Splunk App for Stream to version 8.1.1 or higher.* Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix). * Limit user access to the ‘streamfwd’ process by removing all but privileged users' ability to run the process. * Disable the Splunk App for Stream if you do not require it and cannot upgrade it.Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational. Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux)
SVD-2023-06062023-06-012023-10-18 Unauthenticated Log Injection in Splunk EnterpriseHigh CVE-2023-32712CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117SPL-235259 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Universal Forwarder 9.1
8.2.11.2
9.0.5.1
9.1.0.2
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11.1
9.0.0 to 9.0.5
9.1.0 to 9.1.0.1
8.2.11 and below
9.0.0 to 9.0.5
9.1.0 to 9.1.0.1
8.2.11.2
9.0.5.1
9.1.0.2
8.2.12
9.0.6
9.1.1
-
-
-
REST API
REST API
REST API
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations: * The forwarders have been configured to have management services active * The active management services are exposed and accessible from the network By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See [SVD-2022-0605](https://advisory.splunk.com/advisories/SVD-2022-0605) for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. For Splunk Enterprise, upgrade to version 8.2.11.2, 9.0.5.1, or 9.1.0.2. For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface. Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory.As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost). For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost. To deactivate remote management services on Universal Forwarder: * In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file on UF, under the [httpServer] stanza, give the `disableDefaultPort` setting a value of `true`, or, under the [general] stanza, give the `allowRemoteLogin` setting a value of `never`. See [Configure universal forwarder management security](https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file, under the [httpServer] stanza, give the `mgmtMode` setting a value of `UDS` (or `default`).Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for "Attack Vector." In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the "Local" metric. Specifically, the second qualification states the following: _the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)._" The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as "Local" per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-06052023-06-012023-06-01 Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard ViewMedium CVE-2023-32711CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79SPL-234890 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.14
8.2.11
9.0.5
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
Splunk Web
Splunk Web
Splunk Web
A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. This vulnerability does not affect Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web.Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Danylo Dmytriiev (DDV_UA)
SVD-2023-06042023-06-012023-06-01 Low-privileged User can View Hashed Default Splunk PasswordMedium CVE-2023-32709CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-285SPL-235016 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/ASplunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N If the initial admin password has been changed, then there is no impact and the severity is Informational. Anton (therceman)
SVD-2023-06032023-06-012023-06-01 HTTP Response Splitting via the ‘rest’ SPL CommandHigh CVE-2023-32708CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2CWE-113SPL-235203 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and lower
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the 'max_searches_per_process' setting a value of either 1 or 0. For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-06022023-06-012023-06-01 ‘edit_user’ Capability Privilege EscalationHigh CVE-2023-32707CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-285SPL-232088 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges.Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Mr Hack (try_to_hack) Santiago Lopez
SVD-2023-06012023-06-012023-06-01 Denial Of Service due to Untrusted XML Tag in XML Parser within SAML AuthenticationHigh CVE-2023-32706CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H7.7CWE-611SPL-224292 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform 9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4

8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation.Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational. Vikram Ashtaputre, Splunk
SVD-2023-02132023-02-142023-02-14 Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDKMedium CVE-2023-22943CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N4.8CWE-636ADDON-58725 Splunk Add-on Builder 4.1
Splunk CloudConnect SDK 3.1
4.1.2
3.1.3
4.1.1 and lower
3.1.2 and lower
4.1.2
3.1.3
cloudconnectlib
-
Chris Green
SVD-2023-02122023-02-142023-02-14 Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk EnterpriseMedium CVE-2023-22942CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L5.4CWE-352SPL-232619 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.13
8.2.10
9.0.4
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
8.1.13
8.2.10
9.0.4
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02112023-02-142023-02-14 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk DaemonMedium CVE-2023-22941CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-248SPL-232645 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02102023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk EnterpriseMedium CVE-2023-22940CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N6.3CWE-20SPL-232369 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02092023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk EnterpriseHigh CVE-2023-22939CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1CWE-20SPL-230588 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Klevis Luli, Splunk
SVD-2023-02082023-02-142023-02-14 Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk EnterpriseMedium CVE-2023-22938CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-229337 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02072023-02-142023-02-14 Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk EnterpriseMedium CVE-2023-22937CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-20SPL-229185 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
SVD-2023-02062023-02-142023-02-14 Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk EnterpriseMedium CVE-2023-22936CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L6.3CWE-918SPL-228937 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2023-02052023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk EnterpriseHigh CVE-2023-22935CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1CWE-20SPL-228738 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02042023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk EnterpriseHigh CVE-2023-22934CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N7.3CWE-20SPL-228734 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02032023-02-142023-02-14 Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk EnterpriseHigh CVE-2023-22933CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H8.0CWE-79SPL-228264 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209
8.1.12 and lower
8.2.0 to 8.2.9
9.0. to 9.0.3
9.0.2208 and lower
8.1.13
8.2.10
9.0.4
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2023-02022023-02-142023-02-14 Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk EnterpriseHigh CVE-2023-22932CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N8.0CWE-79SPL-232819 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
-
-
9.0.4
9.0.2209.3
Not affected
Not affected
9.0.0 to 9.0.3
9.0.2209 and lower
-
-
9.0.4
9.0.2209.3
-
-
Splunk Web
Splunk Web
Tim Coen (foobar7)
SVD-2023-02012023-02-142023-02-14 ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk EnterpriseMedium CVE-2023-22931CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-216628 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
-
8.2.2203
8.1.12 and lower
8.2.0 to 8.2.9
Not affected
8.2.2202 and lower
8.1.13
8.2.10
-
8.2.2203
Search
Search
-
Search
James Ervin, Splunk
SVD-2022-11122022-11-022022-11-02 Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk EnterpriseHigh CVE-2022-43572CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H7.5, HighCWE-400SPL-224974 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209.3
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2209 and lower
8.1.12
8.2.9
9.0.2
9.0.2209.3
Indexing
Indexing
Indexing
Indexing
SVD-2022-11112022-11-022022-11-02 Remote Code Execution through dashboard PDF generation component in Splunk EnterpriseHigh CVE-2022-43571CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-94SPL-228720 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209




Danylo Dmytriiev (DDV_UA)
SVD-2022-11102022-11-022022-11-02 XML External Entity Injection through a custom View in Splunk EnterpriseHigh CVE-2022-43570CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-611SPL-228310 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11092022-11-022022-11-02 Persistent Cross-Site Scripting via a Data Model object name in Splunk EnterpriseHigh CVE-2022-43569CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H8.0, HighCWE-79SPL-228087 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11082022-11-022022-11-02 Reflected Cross-Site Scripting via the radio template in Splunk EnterpriseHigh CVE-2022-43568CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8, HighCWE-79SPL-228379 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2203.4 and lower
8.1.12
8.2.9
9.0.2
9.0.2205
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11072022-11-022022-11-02 Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts featureHigh CVE-2022-43567CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-502SPL-226837 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform Splunk Secure Gateway
8.1.12
8.2.9
9.0.2
9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2203.4 and lower
8.1.12
8.2.9
9.0.2
9.0.2205
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11062022-11-022022-11-02 Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk EnterpriseHigh CVE-2022-43566CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N7.3, HighCWE-20SPL-223730 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2022-11052022-11-022022-11-02 Risky command safeguards bypass via ‘tstats’ command JSON in Splunk EnterpriseHigh CVE-2022-43565CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1, HighCWE-20SPL-224121 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2203
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2202 and lower
8.1.12
8.2.9

9.0.2203
Search
Search

Search
Cuong Dong at Splunk
SVD-2022-11042022-11-022022-11-02 Denial of Service in Splunk Enterprise through search macrosMedium CVE-2022-43564CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H4.9, MediumCWE-400SPL-220964 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2203.4 and lower
8.1.12
8.2.9

9.0.2205
REST API
REST API

REST API
SVD-2022-11032022-11-022022-11-11 Risky command safeguards bypass via 'rex' search command field names in Splunk EnterpriseHigh CVE-2022-43563CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1, HighCWE-20SPL-223646 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2203
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2202 and lower
8.1.12
8.2.9

9.0.2203
Search
Search

Search
Cuong Dong at Splunk
SVD-2022-11022022-11-022022-11-02 Host Header Injection in Splunk EnterpriseLow CVE-2022-43562CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N3.0, LowCWE-20SPL-224156 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Ali Mirheidari at Splunk
SVD-2022-11012022-11-022022-11-02 Persistent Cross-Site Scripting in “Save Table” Dialog in Splunk EnterpriseMedium CVE-2022-43561CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H6.4, MediumCWE-79SPL-207040 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.7=8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Mr Hack (try_to_hack)
SVD-2022-08032022-08-162022-08-16 Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring inputMedium CVE-2022-37439CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H5.5CWE-409TBD Universal Forwarder 8.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.11
8.2.7.1
-
8.1.11
8.2.7.1
-
8.1.10 and lower
8.2.0 to 8.2.7
Not affected
8.1.10 and lower
8.2.0 to 8.2.7
Not affected
8.1.11
8.2.7.1
-
8.1.11
8.2.7.1
-
Monitor Processor
Monitor Processor
-
Monitor Processor
Monitor Processor
-
Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC)
SVD-2022-08022022-08-162022-08-16 Information disclosure via the dashboard drilldown in Splunk EnterpriseLow CVE-2022-37438CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N2.6CWE-200SPL-221531 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.11
8.2.7.1
9.0.1
9.0.2205
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.2.2203.4 and lower
8.1.11
8.2.7.1
9.0.1
9.0.2205
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Eric LaMothe at Splunk
SVD-2022-08012022-08-162022-08-16 Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validationHigh CVE-2022-37437CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-224209 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
-
-
9.0.1
Not affected
Not affected
9.0.0
-
-
9.0.1
-
-
Ingest Actions
Eric LaMothe at Splunk
Ali Mirheidari at Splunk
SVD-2022-06082022-08-162022-07-18 Splunk Enterprise deployment servers allow client publishing of forwarder bundlesCritical CVE-2022-32158CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H9.0CWE-284SPL-176829 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.10.1
8.2.6.1
-
Versions before 8.1.10.1
8.2.0 to 8.2.6
Not affected
8.1.10.1
8.2.6.1
-
Deployment Server
Deployment Server
-
Nadim Taha at Splunk
SVD-2022-06072022-08-162022-07-18 Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloadsHigh CVE-2022-32157CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5CWE-306SPL-176828 Splunk Enterprise 9.0
9.0.0
Versions before 9.0
9.0.0
Deployment Server
Nadim Taha at Splunk
Paul Schultze at E.ON Digital Technology GmbH
Martin Müller at Consist
SVD-2022-06062022-06-142022-07-18 Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validationHigh CVE-2022-32156CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-49451 Splunk Enterprise 9.0
Universal Forwarder 9.0
9.0.0
9.0.0
Versions before 9.0
Versions before 9.0
9.0.0
9.0.0
-
-
Chris Green at Splunk
SVD-2022-06052022-06-142022-06-14 Universal Forwarder management services allow remote login by defaultInfo CVE-2022-32155---SPL-140396 Universal Forwarder 9.0
9.0.0
Versions before 9.0
9.0.0
-
Chris Green at Splunk
SVD-2022-06042022-06-142022-07-18 Risky commands warnings in Splunk Enterprise dashboardsMedium CVE-2022-32154CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N6.8CWE-20SPL-201816 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.1.2106
Versions before 9.0
Versions before 8.1.2106
9.0.0
8.1.2106
-
-
Chris Green at Splunk
Danylo Dmytriiev (DDV_UA)
Anton (therceman)
SVD-2022-06032022-06-142022-07-18 Splunk Enterprise lacked TLS host name certificate validationHigh CVE-2022-32153CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-297SPL-202894 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-06022022-06-142022-07-18 Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by defaultHigh CVE-2022-32152CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-295SPL-114067, SPL-138957 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-06012022-06-142022-07-18 Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by defaultHigh CVE-2022-32151CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-173641, SPL-129677 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-05072022-05-032022-05-03 Error message discloses internal pathMedium CVE-2022-26070CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-200SPL-180503 Splunk Enterprise 8.1
8.1.0
Versions below 8.1
8.1.0
Splunk Web
Dipak Prajapati (Lethal)
SVD-2022-05062022-05-032022-05-03 Path Traversal in search parameter results in external content injectionHigh CVE-2022-26889CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8CWE-20SPL-197247 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.2
-
8.1.1 and earlier
Not affected
8.1.2
-
Splunk Web
-
Jason Tsang Mui Chung
SVD-2022-05052022-05-032022-05-03 Reflected XSS in a query parameter of the Monitoring ConsoleHigh CVE-2022-27183CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8CWE-79SPL-201205 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.4
-
8.1.3 and earlier
Not affected
8.1.4
-
Splunk Monitoring Console
-
Danylo Dmytriiev (DDV_UA)
SVD-2022-05042022-05-032022-05-03 Bypass of Splunk Enterprise's implementation of DUO MFAHigh CVE-2021-26253CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-287SPL-172887 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.6
-
8.1.5 and earlier
Not affected
8.1.6
-
-
-
Sanket Bhimani
SVD-2022-05032022-05-032022-05-03 S2S TcpToken authentication bypass High CVE-2021-31559CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N7.5CWE-288SPL-203370 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.5
8.2.1
8.1.4 and earlier
8.2.0
8.1.5
8.2.1
-
-
Chris Samley at GE
SVD-2022-05022022-05-032022-05-03 Username enumeration through lockout message in REST APIMedium CVE-2021-33845CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3CWE-203SPL-194168 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.7
-
8.1.6 and earlier
Not affected
8.1.7
-
-
-
Kyle Bambrick at Splunk
SVD-2022-05012022-05-032022-05-03 Local privilege escalation via a default path in Splunk Enterprise WindowsHigh CVE-2021-42743CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H8.8CWE-427SPL-195186 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.1
-
8.1.0 and earlier
Not affected
8.1.1
-
-
-
SVD-2022-03012022-03-242022-05-03 Indexer denial-of-service via malformed S2S requestHigh CVE-2021-3422CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5CWE-125SPL-198396 Splunk Enterprise 7.3
Splunk Enterprise 8.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
7.3.9
8.0.9
8.1.3
-
7.3.8 and earlier
8.0.0 to 8.0.8
8.1.0 to 8.1.2
Not affected
7.3.9
8.0.9
8.1.3
-
-
-
-
-
Sharon Brizinov and Tal Keren of Claroty

 

Third-Party Bulletins

Third-Party Bulletins announce security patches for third-party software. Splunk publishes Third-Party Bulletins at the same time as Security Advisories.

show filters & options


SVDDateLast ModifiedTitleSeverityCVECVSS VectorCVSS ScoreCWEBugAffected ProductsFixed VersionsAffected VersionsAll Affected VersionsAffected ComponentsDescriptionSolutionMitigationsSeverity SummaryOSSCredit
SVD-2024-01122024-01-302024-01-30 Third-Party Package Updates in Splunk Add-on Builder - January 2024High---- Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Add-on Builder version 4.1.4, including the following:For Splunk Add-on Builder, upgrade to version 4.1.4. <br> <br> Splunk Add-on Builder replicates the requests Python HTTP library to custom apps and add-ons. After you upgrade Splunk Add-on Builder, review the following additional information if you use Add-on Builder to edit custom apps or add-ons: <br> &nbsp;&nbsp;&nbsp;&nbsp;1. Use Add-on Builder to edit and save the affected app. See the [Add-on Builder documentation](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Overview) for more information.<br> &nbsp;&nbsp;&nbsp;&nbsp;2. Restart Splunk Enterprise <br> <br> If the custom app or add-on is also installed on instances without Add-on Builder, you must package the upgraded custom app or add-on, then install it on the instances. See [Validate and Package](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Validate) and [Package apps](https://dev.splunk.com/enterprise/docs/releaseapps/packageapps/) for more information. <br> <br> For affected apps and add-ons that are already on SplunkBase, as a third-party developer, you must publish an updated version of the app or add-on to SplunkBase. For more information, see [Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase](https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/). Cloud-vetted apps are subject to the [Cloud Vetting Change Policy](https://dev.splunk.com/enterprise/docs/releaseapps/cloudvetting/#Cloud-Vetting-Change-Policy). <br> <br> Note: The Splunk Add-on Builder does not replicate the semver (Semantic Version parser) library to custom apps and add-ons.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium
CVE-2022-25883 - semver - Upgraded to 5.7.2 - High
SVD-2024-01092024-01-222024-01-26 Third-Party Package Updates in Splunk Enterprise - January 2024High---N/A Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.8
9.1.3
9.0.0 to 9.0.7
9.1.0 to 9.1.2
9.0.8
9.1.3
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.0.8 and 9.1.3, including the following:Upgrade Splunk Enterprise to version 9.0.8, 9.1.3, or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. Multiple* - golang, in Splunk Assist - Upgraded golang from 1.20.7 to 1.20.10 - See vendor
Multiple* - golang, in mongodump and mongorestore - Upgraded golang from 1.19** to 1.20.10 - See vendor
CVE-2022-40899 - future, Python 3, in Upgrade Readiness App - Upgraded to 0.18.3 - High
CVE-2022-40899 - future, Python 2, in Upgrade Readiness App - Upgraded to 0.18.3 - High
CVE-2023-37920 - certifi - Patched*** - Low
SVD-2024-01042024-01-092024-01-09 Splunk User Behavior Analytics (UBA) Third-Party Package UpdatesHigh---UBA-16652 Splunk User Behavior Analytics (UBA) -
Splunk User Behavior Analytics (UBA) -
5.3.0
5.2.1
Below 5.3.0
Below 5.2.1
5.3.0
5.2.1
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk User Behavior Analytics (UBA) versions 5.3.0 and 5.2.1, including the following:Upgrade Splunk User Behavior Analytics (UBA) to version 5.3.0, 5.2.1, or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-32695 - socket.io-parser - Upgraded to 4.6.2 - High
CVE-2015-5237 - protobuf - Upgraded to 3.21.12 - High
CVE-2022-3171 - protobuf - Upgraded to 3.21.12 - High
CVE-2022-3509 - protobuf - Upgraded to 3.21.12 - High
CVE-2022-3510 - protobuf - Upgraded to 3.21.12 - High
CVE-2023-2976 - Guava - Upgraded to 32.0.1 - High
SVD-2024-01032024-01-092024-01-11 Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024Critical---- Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise Security (ES) versions 7.1.2, 7.2.0 and higher, including the following:Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-45133 - babel/traverse - Upgraded to 7.23.2 - High
CVE-2021-23446 - handsontable - Upgraded to 13.1.0 - High
CVE-2022-25883 - semver - Upgraded to 6.3.1 - High
CVE-2022-37599 - loader-utils - Upgraded to 1.4.2 - High
CVE-2022-37603 - loader-utils - Upgraded to 1.4.2 - High
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High
SVD-2023-11072023-11-162023-12-18 November 2023 Splunk Universal Forwarder Third-Party UpdatesLow---- Splunk Universal Forwarder 9.0
Splunk Universal Forwarder 9.1
9.0.7
9.1.2
9.0.0 to 9.0.6
9.1.0 to 9.1.1
9.0.7
9.1.2
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 9.0.7 or 9.1.2.N/AFor the CVEs in this list, Splunk adopted the vendor's severity. CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low
SVD-2023-11062023-11-162024-01-11 November 2023 Third-Party Package Updates in Splunk Cloud PlatformCritical---- Splunk Cloud -
9.1.2308.100
Below 9.1.2308
9.1.2308.100
Splunk Web
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 9.1.2308.100 of Splunk Cloud Platform.Splunk is actively upgrading and monitoring instances of Splunk Cloud Platform.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Critical
CVE-2023-24329 - python - Upgraded to 3.7.17 - High
CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low
SVD-2023-11052023-11-162023-11-16 November 2023 Third Party Package updates in Splunk EnterpriseHigh---- Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.7
9.1.2
9.0.0 to 9.0.6
9.1.0 to 9.1.1
9.0.7
9.1.2
Splunk Web
Splunk Web
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2.N/ASplunk Enterprise does not use bottle and is not impacted by CVE-2022-31799. Otheriwse, for the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2021-22570 - protobuf - Upgraded to 3.15.8 - Medium
CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Informational
CVE-2023-24329 - python - Upgraded to 3.7.17 - High
CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low
SVD-2023-11022023-11-162023-11-16 Third Party Package Update in Splunk Add-on for Google Cloud PlatformCritical---- Splunk Add-on for Google Cloud Platform -
4.3.0
Below 4.3.0
4.3.0
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 4.3.0 of Splunk Add-on for Google Cloud Platform.For Splunk Add-on for Google Cloud Platform, upgrade versions to 4.3.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical
CVE-2023-45803 - urllib3 - Upgraded to 1.26.18 - Medium
CVE-2023-43804 - urllib3 - Upgraded to 1.26.18 - High
CVE-2023-44270 - postcss - Upgraded to 8.4.31 - Medium
CVE-2022-25883 - semver - Upgraded to 6.3.1 and 7.5.4 - High
SVD-2023-11012023-11-162023-11-16 Third Party Package Update in Splunk Add-on for Amazon Web ServicesCritical---- Splunk Add-on for Amazon Web Services -
7.2.0
Below 7.2.0
7.2.0
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 7.2.0 of Splunk Add-on for Amazon Web Services, including the following:Upgrade the Splunk Add-on for Amazon Web Services to version 7.2.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical
SVD-2023-10012023-10-062023-10-06 Splunk Statement on CVE-2023-4863 libwebp VulnerabilityInformational----In early September 2023, Google disclosed a High-rated vulnerability, CVE-2023-4863, that affects Google Chrome and the libwebp library, which is part of the WebP image codec. Splunk has determined that CVE-2023-4863 does not affect Splunk products. If you have a product in your environment that CVE-2023-4863 does affect, upgrade the product per the recommendations from the product vendor.None. CVE-2023-4863 does _not_ affect Splunk products.NoneInformational CVE-2023-4863 - libwebp - Not affected - Informational
SVD-2023-08112023-08-302023-08-30 Third Party Package Updates in IT Service Intelligence (ITSI)High---- Splunk ITSI 4.15
Splunk ITSI 4.13
4.15.3
4.13.3
4.15.0 to 4.15.2
4.13.0 to 4.13.2
4.15.3
4.13.3
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk IT Service Intelligence (ITSI), including the following:For Splunk IT Service Intelligence (ITSI), upgrade versions to 4.13.3 or 4.15.3N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-2976 - guava - Upgraded to 32.0.0 - High
SVD-2023-08092023-08-302023-08-30 August Third Party Package Updates in Splunk Universal ForwarderHigh---- Universal Forwarder 8.2
Universal Forwarder 9.0
Universal Forwarder 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 8.2.12, 9.0.6, or 9.1.1N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2021-30560 - libxslt - Patched - High
CVE-2021-30560 - libxslt - Patched - High
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27535 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High
CVE-2022-42915 - curl - Upgraded to 8.0.1 - High
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium
CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High
CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High
SVD-2023-08082023-08-302024-02-14 August 2023 Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 8.2.12, 9.0.6, or 9.1.1N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2022-38900 - decode-uri-component - Upgraded to 6.0.0 - High
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical
CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High
CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium
CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High
CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High
CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical
CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High
CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High
CVE-2022-31129 - moment - Upgraded to 2.29.4 - High
CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High
CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High
CVE-2022-24999 - qs - Upgraded to 6.5.3 - High
CVE-2022-25881 - http-cache-semantics - Upgraded to 4.1.1 - High
CVE-2022-42003 - jackson-databind - Upgraded to 2.13.5 - High
CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High
CVE-2021-41182 - jquery-ui - Upgraded to 1.13.2 - Medium
CVE-2021-41183 - jquery-ui - Upgraded to 1.13.2 - Medium
CVE-2021-41184 - jquery-ui - Upgraded to 1.13.2 - Medium
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium
CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High
CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High
CVE-2022-23491 - certifi - Patched* - High
CVE-2022-23491 - certifi - Upgraded to 2023.5.7** - High
Multiple - curl - Upgraded to 8.0.1*** - High
Multiple - go - Updated golang in mongotools**** - Critical
CVE-2021-30560 - libxslt - Patched***** - High
CVE-2022-2309 - lxml - Patched****** - High
SVD-2023-07012023-07-172023-07-17 Splunk SOAR Cryptography Python Package Upgrade IncompatibilityInformational---- Splunk SOAR (On-premises) 6.1
Splunk SOAR (Cloud) 6.1
6.1.1
6.1.1
6.1.1 and above
6.1.1 and above
6.1.1
6.1.1
Custom Apps
Custom Apps
In Splunk Security Orchestration, Automation and Response (SOAR) version 6.1.1, Splunk upgraded the Python cryptography library within the app to version 41.0.1. This version of the cryptography library may cause Python module import problems during execution, if a specific version of the library is used for a custom app. The problem occurs when the cryptography library that you specify as a dependency for your custom app is a version that is lower than or equal to version 39.0.1.To address the incompatibility, specify a version of the library package on your custom app dependency to a version that is higher than 39.0.1. For more information on how to create a custom app using the SOAR App Wizard, see [Create an app with the App Wizard](https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/CreateAnAppWithTheAppEditor) in the Splunk SOAR documentation.N/AN/A CVE-2023-23931 - Cryptography, Python - Upgraded to 41.0.1 - Medium
CVE-2023-0286 - Cryptography, Python - Upgraded to 41.0.1 - High
SVD-2023-06152023-06-012023-06-01 June Third Party Package Updates in Splunk CloudHigh---- Splunk Cloud
9.0.2303.100
9.0.2303 and lower
9.0.2303.100
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Cloud, including the following:For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High
CVE-2022-40304 - libxml2 - Patched - High
CVE-2022-23491 - certifi - Upgraded to 2022.12.7 - High
CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium
SVD-2023-06142023-06-012023-06-01 June Third Party Package Updates in Splunk Universal ForwardersCritical---- Universal Forwarders 8.1
Universal Forwarders 8.2
Universal Forwarders 9.0
8.1.14
8.2.11
9.0.5
8.1.13 and Lower
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High
CVE-2022-40304 - libxml2 - Patched - High
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical
CVE-2023-27535 - curl - Upgraded to 8.0.1 - High
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High
CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium
CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical
CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High
CVE-2018-25032 - zlib - Applied patch - High
CVE-2022-37434 - zlib - Applied patch - Critical
SVD-2023-06132023-06-012024-01-09 June Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.14
8.2.11
9.0.5
8.1.13 and Lower
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High
CVE-2022-40304 - libxml2 - Patched - High
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical
CVE-2023-27535 - curl - Upgraded to 8.0.1 - High
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High
CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium
CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical
CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High
CVE-2018-25032 - zlib - Applied patch - High
CVE-2022-37434 - zlib - Applied patch - Critical
CVE-2020-15138 - prismjs - Upgraded to 1.2.9 - High
CVE-2022-37616 - xmldom - Upgraded to 0.7.9 - Critical
CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium
CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High
CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High
CVE-2022-46175 - json5 - Upgraded to 2.2.3 - High
CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical
CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High
CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High
CVE-2022-31129 - moment - Upgraded to 2.29.4 - High
CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High
CVE-2021-23368 - postcss - Upgraded to 7.0.36 - Medium
CVE-2021-23382 - postcss - Upgraded to 7.0.36 - High
CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High
CVE-2022-24999 - qs - Upgraded to 6.5.3 - High
CVE-2020-7753 - ssri - Uppgraded to 6.0.2 - High
CVE-2022-25858 - terser - Upgraded to 4.8.1 - High
CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High
CVE-2020-7753 - trim - Upgraded to 0.0.3 - High
CVE-2021-33587 - css-what - Upgraded to 5.0.1 - High
CVE-2020-8116 - dot-prop - Upgraded to 4.2.1 - High
CVE-2020-13822 - elliptic - Upgraded to 6.5.4 - High
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium
CVE-2022-4200 - jackson-databind - Upgraded to 2.13.5 - Medium
CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High
CVE-2023-1370 - json-smart - Upgraded to 2.4.9 - High
CVE-2019-20149 - kind-of - Upgraded to 6.0.3 - High
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical
CVE-2020-8203 - lodash - Upgraded to 4.17.21 - High
CVE-2019-10744 - lodash-es - Upgraded to 4.17.21 - Critical
CVE-2022-40023 - mako - Patched* - High
CVE-2022-40023 - mako - Upgraded to 1.2.4** - High
CVE-2019-10746 - mixin-deep - Upgraded to 1.3.2 - Critical
CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High
CVE-2021-33502 - normalize-url - Upgraded to 6.1.0 - High
CVE-2021-27292 - ua-parser-js - Upgraded to 0.7.35 - High
CVE-2021-33503 - urllib3 - Upgraded to 1.26.6 - High
CVE-2020-7662 - websocket-extensions - Upgraded to 0.1.4 - High
CVE-2020-7774 - y18n - Upgraded to 4.0.3 - Critical
CVE-2022-23806 - go, crypto/elliptic - Upgraded go to 1.2 - Critical
CVE-2022-23772 - go, math/big - Upgraded go to 1.2 - High
CVE-2021-43565 - go, x/crypto - Upgraded go to 1.2 - High
CVE-2022-30580 - go, os/exec - Upgraded go to 1.2 - High
CVE-2022-30633 - go, encoding/xml - Upgraded go to 1.2 - High
CVE-2022-28131 - go, encoding/xml - Upgraded go to 1.2 - High
CVE-2022-30632 - go, path/filepath - Upgraded go to 1.2 - High
CVE-2022-41716 - go - Upgraded go to 1.2 - High
CVE-2022-28327 - go, crypto/elliptic - Upgraded go to 1.2 - High
CVE-2022-24921 - go - Upgraded go to 1.2 - High
CVE-2022-30630 - go, io/fs - Upgraded go to 1.2 - High
CVE-2022-27191 - go, crypto/ssh - Upgraded go to 1.2 - High
CVE-2022-23773 - go, cmd/go - Upgraded go to 1.2 - High
CVE-2022-30634 - go, crypto/rand - Upgraded go to 1.2 - High
CVE-2022-41715 - go - Upgraded go to 1.2 - High
CVE-2022-24675 - go, encoding/pem - Upgraded go to 1.2 - High
CVE-2022-41720 - go - Upgraded go to 1.2 - High
CVE-2022-27664 - go, net/http - Upgraded go to 1.2 - High
CVE-2022-2880 - go, net/http - Upgraded go to 1.2 - High
CVE-2022-29804 - go, path/filepath - Upgraded go to 1.2 - High
CVE-2022-32189 - go, math/big - Upgraded go to 1.2 - High
CVE-2022-30635 - go, encoding/gob - Upgraded go to 1.2 - High
CVE-2022-30631 - go, compress/gzip - Upgraded go to 1.2 - High
CVE-2022-2879 - go - Upgraded go to 1.2 - High
CVE-2022-1705 - go, net/http - Upgraded go to 1.2 - Medium
CVE-2022-1962 - go, go/parse - Upgraded go to 1.2 - Medium
CVE-2022-29526 - go, sys - Upgraded go to 1.2 - Medium
CVE-2022-32148 - go, net/http - Upgraded go to 1.2 - Medium
CVE-2022-30629 - go, crypto/tls - Upgraded go to 1.2 - Low
CVE-2017-16042 - Growl - Upgraded to 1.10.5 - Critical
CVE-2021-20095 - Babel - Upgraded to 2.9.1 - Medium
SVD-2023-02152023-02-142023-02-14 February Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
-
-
-
-
CVE-2021-21419 - Python 2.7, eventlet - Upgraded to 2.7.18.4 - Informational
CVE-2021-28957 - Python 2.7, lxml - Upgraded to 2.7.18.4 - Medium
CVE-2022-24785 - Moment.js - Upgraded to 2.29.4 - High
CVE-2022-31129 - Moment.js - Upgraded to 2.29.4 - High
CVE-2022-32212 - Node.js - Applied patch - High
CVE-2015-20107 - Python 3.7 - Applied patch - Informational
CVE-2021-3517 - Libxml2 - Applied patch - High
CVE-2021-3537 - Libxml2 - Applied patch - Medium
CVE-2021-3518 - Libxml2 - Applied patch - High
SVD-2023-02142023-02-142023-02-14 Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell)Informational---- CVE-2022-42889 - - -
SVD-2022-11132022-11-022023-02-14 November Third Party Package updates in Splunk EnterpriseHigh Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
-
-
-
-
CVE-2020-36518 - jackson-databind - Upgraded to 2.13.2.1 - High
CVE-2021-32036 - mongodb - Updgraded to 4.2.19 or 4.2.17-v4 - Medium
SVD-2022-11142022-11-012022-11-01 Splunk’s response to OpenSSL’s CVE-2022-3602 and CVE-2022-3786High Splunk Enterprise
Universal Forwarders
Splunk Cloud Platform
Splunk Observatibility Platform
SOAR Cloud
SOAR
SOAR Automation Broker
Enterprise Security
Splunk Security Essentials
IT Service Intelligence
Splunk UBA
Data Stream Processor
Splunk Addon for Active Directory
Splunk Addon for Add-on for Infrastructure
Splunk Addon for Add-on for Microsoft Exchange
Splunk Addon for Add-on for VMware
Splunk Addon for Amazon Kinesis Firehose
Splunk Addon for Amazon Web Services
Splunk Addon for Apache Web Server
Splunk Addon for Bit9 Carbon Black
Splunk Addon for Blue Coat ProxySG
Splunk Addon for BMC Remedy
Splunk Addon for Box
Splunk Addon for Bromium
Splunk Addon for Check Point OPSEC LEA
Splunk Addon for Cisco ASA
Splunk Addon for Cisco ESA
Splunk Addon for Cisco FireSIGHT
Splunk Addon for Cisco Identity Services
Splunk Addon for Cisco UCS
Splunk Addon for Citrix NetScaler
Splunk Addon for CyberArk
Splunk Addon for F5 BIG-IP
Splunk Addon for Forcepoint Web Security
Splunk Addon for Google Cloud Platform
Splunk Addon for HAProxy
Splunk Addon for IBM WebSphere Application Server
Splunk Addon for Imperva SecureSphere WAF
Splunk Addon for Infoblox
Splunk Addon for ISC BIND
Splunk Addon for ISC DHCP
Splunk Addon for Java Management Extensions
Splunk Addon for JBoss
Splunk Addon for Juniper
Splunk Addon for Kafka
Splunk Addon for Linux
Splunk Addon for McAfee
Splunk Addon for McAfee Web Gateway
Splunk Addon for Microsoft Cloud Services
Splunk Addon for Microsoft Hyper-V
Splunk Addon for Microsoft IIS
Splunk Addon for Microsoft Office 365
Splunk Addon for Microsoft SQL Server
Splunk Addon for Microsoft Windows
Splunk Addon for MySQL
Splunk Addon for Nagios Core
Splunk Addon for NGINX
Splunk Addon for OPC
Splunk Addon for Oracle Database
Splunk Addon for OSSEC
Splunk Addon for RSA DLP
Splunk Addon for RSA SecurID
Splunk Addon for Salesforce
Splunk Addon for ServiceNow
Splunk Addon for Sophos
Splunk Addon for Squid Proxy
Splunk Addon for Stream Addon for Wire Data
Splunk Addon for Symantec DLP
Splunk Addon for Symantec Endpoint Protection
Splunk Addon for Tomcat
Splunk Addon for Unix and Linux
Splunk Addon for Websense DLP
Splunk Addon for Zeek
Splunk App for AWS
Splunk App for Common Information Model (CIM)
Splunk App for DB Connect
Splunk App for DB Connect - Older Unsupported versions
Splunk App for Info Sec
Splunk App for InfoSec App for Splunk
Splunk App for Infrastructure
Splunk App for IT Essentials Learn
Splunk App for IT Essentials Work
Splunk App for Machine Learning Toolkit (MLTK) and Python for Scientific Computing (PSC)
Splunk App for Microsoft Exchange
Splunk App for NetApp Data ONTAP
Splunk App for PCI Compliance
Splunk App for Security Essentials
Splunk App for Splunk Product Guidance
Splunk App for Stream
Splunk App for Unix and Linux
Splunk App for VMware
Splunk App for Windows
Splunk App for Windows Infrastructure
Splunk Add-on Builder
Splunk AppInspect
Splunk SDKs
Splunk Logging Library for Java
Security Analytics for AWS
Splunk Add-on for VMware Metrics
Splunk App for Content Packs
Splunk App for Infrastructure (SAI)
Splunk App for Mint
Splunk Application Performance Monitoring
Splunk Assist
Splunk Augmented Reality
Splunk Cloud Data Manager (SCDM)
Splunk Cloud Developer Edition
Splunk Connect for Kafka
Splunk Connect for Kubernetes
Splunk Connect for Kubernetes-OpenTelemetry
Splunk Connect for SNMP
Splunk Connect for Syslog
Splunk DB TA LAR
Splunk Edge Hub
Splunk Enterprise Amazon Machine Image (AMI)
Splunk Enterprise Docker Container
Splunk Infrastructure Monitoring
Splunk Log Observer
Splunk Mint Android SDK
Splunk Mint IOS SDK
Splunk Mint Management console
Splunk Mobile
Splunk Network Performance Monitoring
Splunk On-Call/Victor Ops/SSA
Splunk OVA for VMware
Splunk OVA for VMWare Metrics
Splunk Profiling
Splunk Real User Monitoring
Splunk Secure Gateway
Behavioral Analytics
Splunk Stream Forwarder
Splunk Synthetics
Splunk TV
Splunk UBA OVA Software
Splunk VMWare OVA for ITSI







































































































































Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected














































































































































































































































































CVE-2022-3602 - OpenSSL - NA - High
CVE-2022-3786 - OpenSSL - NA - High
SVD-2022-08042022-08-162023-03-08 August Third Party Package updates in Splunk Enterprise and Universal ForwardersMedium Universal Forwarder 8.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.11
8.2.7.1
9.0.1
8.1.11
8.2.7.1
9.0.1
9.0.2205
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.2.2203.4 and lower
8.1.11
8.2.7.1
9.0.1
8.1.11
8.2.7.1
9.0.1
9.0.2205
-
-
-
-
-
-
-
CVE-2022-2068 - OpenSSL1.0.2 - Upgraded to OpenSSL 1.0.2zf - Informational
CVE-2021-3541 - libxml2 - Applied patch - Medium
CVE-2022-29824 - libxml2 - Applied patch - Medium
CVE-2022-23308 - libxml2 - Applied patch - Informational
SVD-2021-12012021-12-102022-01-07 Splunk Security Advisory for Apache Log4j (CVE-2021-44228, CVE-2021-45046 and others)Critical CVE-2021-44228 - - -
CVE-2021-45046 - - -

 

Policy on information provided in Critical Security Alert and Security Patch Updates

Splunk continuously monitors for vulnerabilities through scans, offensive exercises such as penetration and application security testing, and reports from employees or external vendors or researchers. Splunk follows industry best practices to discover and remedy vulnerabilities. To report a security vulnerability, visit the Security Vulnerability Submission Portal.

Splunk does not provide additional information about the specifics of vulnerabilities beyond what it discloses in a Security Advisory. Splunk does not distribute active exploit code (for example, proof of concept code) for vulnerabilities in its products.

 

Applicability of Security Advisories

Splunk teams regularly evaluate security advisories from outside vendors as they become available and apply the relevant patches in accordance with applicable change management processes.

Customers that require additional information that a Security Advisory does not address can visit the Support Portal and submitting a New Case.