Splunk Security Advisories and Third Party Bulletins
This page lists announcements of Splunk Security Advisories and Third Party Bulletins. For all Advisories, Announcements, and Bulletins, see the Security Advisories list.
Security Advisories
Security Advisories are collections of disclosures and security fixes for supported versions of Splunk products. Splunk publishes Security Advisories to alert customers to security issues in Splunk products that Splunk has remedied. Splunk makes advisories available for versions of Splunk products that it supports at the time of disclosure through ongoing cloud or on-premises maintenance releases. When Splunk cannot backport a patch due to technical feasibility or otherwise, it publishes mitigations and additional compensating control guidance.
Splunk publishes Security Advisories alongside corresponding product releases. Splunk encourages customers to add its Really Simple Syndication (RSS) feed to their RSS reader to receive a notification when Splunk publishes the advisories.
| SVD | Date | Last Modified | Title | Severity | CVE | CVSS Vector | CVSS Score | CWE | Bug | Affected Products | Fixed Versions | Affected Versions | All Affected Versions | Affected Components | Description | Solution | Mitigations | Severity Summary | OSS | Credit |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SVD-2023-1104 | 2023-11-16 | 2023-11-22 | Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing | High | CVE-2023-46214 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 8.0 | CWE-91 | SPL-241695 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.7 9.1.2 9.1.2308 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 Versions below 9.1.2308 | 9.0.7 9.1.2 9.1.2308 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance. | Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If you cannot upgrade, limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input.<br><br>Edit the `web.conf` configuration file and add the following configuration on instances where you want to limit the ability of search job requests to accept XSL:<br><br>`[settings]`<br>`enableSearchJobXslt = false`<br><br>For more information on modifying the web.conf configuration file, see [How to edit a configuration file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification. For earlier Splunk Enterprise versions, review the web.conf specification for availability of the `enableSearchJobXslt` setting. | Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. | ||
| SVD-2023-1103 | 2023-11-16 | 2023-11-20 | Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page | Medium | CVE-2023-46213 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 4.8 | CWE-79 | VULN-5768 | Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 9.0.7 9.1.2 9.1.2308 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 Versions below 9.1.2308 | 9.0.7 9.1.2 9.1.2308 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.<br><br>This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way. | Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web.<br>Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with. | Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N<br>If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational. | Joshua Neubecker | |
| SVD-2023-0810 | 2023-08-30 | 2023-09-29 | Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI) | High | CVE-2023-4571 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | ITSI-31707 | Splunk ITSI 4.13 Splunk ITSI 4.15 Splunk ITSI 4.17 | 4.13.3 4.15.3 4.17.1 | 4.13.0 to 4.13.2 4.15.0 to 4.15.2 4.17.0 | 4.13.3 4.15.3 4.17.1 | - - - | In Splunk IT Service Intelligence (ITSI) versions below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. | For Splunk ITSI, upgrade to version 4.13.3, 4.15.3, or 4.17.1. Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch/<session_id>/itsi_search.log. On Windows ITSI instances, the log files are in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\<session_id>\itsi_search.log. | As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. | Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: * the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).” The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
| SVD-2023-0807 | 2023-08-30 | 2023-10-18 | Command Injection in Splunk Enterprise Using External Lookups | High | CVE-2023-40598 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.5 | CWE-77 | SPL-230071 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated `runshellscript` command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance. | Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively upgrading and monitoring Splunk Cloud deployments. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0806 | 2023-08-30 | 2023-10-18 | Absolute Path Traversal in Splunk Enterprise Using runshellscript.py | High | CVE-2023-40597 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 7.8 | CWE-36 | VULN-5304 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.<br><br>The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.<br><br>The exploit requires the attacker to have write access to the drive on which they place the exploit script.<br>This vulnerability only affects Splunk Enterprise Instances that run on Windows. | Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1. <br><br>This vulnerability does not affect Splunk Cloud Platform instances. | No mitigations | Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. <br><br>This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0805 | 2023-08-30 | 2023-08-30 | Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL | High | CVE-2023-40596 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.0 | CWE-665 | VULN-4474 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine. As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform. | Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review [Harden Your Windows Installation](https://docs.splunk.com/Documentation/Splunk/latest/Security/HardenyourWindowsinstallation). | Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. | Will Dormann, Vul Labs | |
| SVD-2023-0804 | 2023-08-30 | 2023-10-18 | Remote Code Execution via Serialized Session Payload | High | CVE-2023-40595 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-502 | PRODSECOPS-25334 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.<br><br>The exploit requires the use of the `collect` SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0803 | 2023-08-30 | 2023-10-18 | Denial of Service (DoS) via the ‘printf’ Search Function | Medium | CVE-2023-40594 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 6.5 | CWE-400 | SPL-235294 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2303.100 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2209 and lower | 8.2.12 9.0.6 9.1.1 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.<br><br>The `printf` function does not properly validate expressions in certain cases in combination with commands like `fieldformat` that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0802 | 2023-08-30 | 2023-10-18 | Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML Request | Medium | CVE-2023-40593 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H | 6.3 | CWE-400 | SPL-219455 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud - | 8.2.12 9.0.6 9.0.2205 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 8.2.2203 | 8.2.12 9.0.6 9.0.2205 | Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.<br><br>The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. | Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation. | Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. <br><br>If your Splunk Enterprise Instance does not use SAML as an authentication scheme for SSO, it is not affected and this vulnerability can be considered informational. | Aaron Devaney (Dodekeract) | |
| SVD-2023-0801 | 2023-08-30 | 2023-10-18 | Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint | High | CVE-2023-40592 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | 8.4 | CWE-79 | VULN-5287 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Splunk Cloud - | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 9.0.2305.100 and below | 8.2.12 9.0.6 9.1.1 9.0.2305.200 | Splunk Web Splunk Web Splunk Web Splunk Web | In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.<br><br>A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. | Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0702 | 2023-07-31 | 2023-10-18 | Unauthenticated Log Injection In Splunk SOAR | High | CVE-2023-3997 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | SPL-241869 | Splunk SOAR (On-premises) Splunk SOAR (Cloud) | 6.1.0 6.1.0 | 6.0.2 and lower 6.0.2 and lower | 6.1.0 6.1.0 | SOAR SOAR | In Splunk SOAR versions lower than 6.1.0, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code. This vulnerability does not directly affect Splunk SOAR, only indirectly through the permissions in the user’s terminal. The indirect impact on Splunk SOAR can vary significantly depending on the permissions in the vulnerable terminal application and where and how the terminal user reads the malicious log file. For example, a terminal user can unknowingly copy the malicious file from the Splunk SOAR instance and read it on their local machine. In this case, that local machine would be affected. | Splunk SOAR (On-premises): Upgrade to version 6.1.0. Splunk SOAR (Cloud): No action is required. Splunk is actively patching and monitoring the Splunk SOAR (Cloud) instances. | If it is not currently practical to upgrade to Splunk SOAR version 6.1.0, you can partially mitigate the risk. As a partial, general mitigation, you can protect Splunk SOAR users from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or by using a terminal application that supports the filtering of ANSI codes. | Splunk rates this vulnerability as High, 8.6, with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk SOAR instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector”. In most vulnerabilities that Splunk rates, the vector would align with CVSS metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: *“The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”* The attack mirrors this qualification, requiring another user to open a malicious document, for example, the injected log file. Because of this, Splunk rated this Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** This vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting this vulnerability. **Privileges Required:** This vulnerability does not require additional privileges and occurs through an unauthenticated web request to Splunk SOAR. **User Interaction:** This vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** This vulnerability does not affect Splunk SOAR directly, only indirectly through the authorized permissions in the user’s terminal. This vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, this vulnerability qualifies for a Change in Scope, as defined by the CVSS standard. **Confidentiality/Integrity/Availability:** This vulnerability enables potential remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for Confidentiality, Integrity and Availability. The indirect impact on Splunk SOAR might vary significantly depending on how the terminal user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
| SVD-2023-0612 | 2023-06-01 | 2023-06-01 | Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results | Medium | CVE-2023-32717 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-237454 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An unauthorized user can access the '/services/indexing/preview' REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the 'edit_monitor' and 'edit_upload_and_index' capabilities assigned to it. | For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances. | Remove the 'edit_monitor' and 'edit_upload_and_index' capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them. | Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. | Scott Calvert, Splunk | |
| SVD-2023-0611 | 2023-06-01 | 2023-06-01 | Denial of Service via the 'dump' SPL command | Medium | CVE-2023-32716 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-754 | SPL-235572 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An attacker can exploit a vulnerability in the 'dump' SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance. | For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. | Remove the 'run_dump' capability from any roles that users hold. | Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0610 | 2023-06-01 | 2023-06-01 | Self Cross-Site Scripting (XSS) on Splunk App for Lookup File Editing | Medium | CVE-2023-32715 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | 4.7 | CWE-79 | LOOKUP-176 | Splunk App for Lookup File Editing 4.0 | 4.0.1 | 4.0 and lower | 4.0.1 | | A user can insert potentially malicious JavaScript code into the Splunk App for Lookup File Editing, which causes the code to run on the user’s machine. | Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher. | Disable the Splunk App for Lookup File Editing if you do not require it and cannot upgrade it. If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated this vulnerability as Medium, 4.7, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. | ||
| SVD-2023-0609 | 2023-06-01 | 2023-06-01 | Information Disclosure via the ‘copyresults’ SPL Command | Medium | CVE-2023-32710 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N | 4.8 | CWE-200 | SPL-234996 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and lower | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. | Anton (therceman) | |
| SVD-2023-0608 | 2023-06-01 | 2023-06-01 | Path Traversal in Splunk App for Lookup File Editing | High | CVE-2023-32714 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 8.1 | CWE-35 | LOOKUP-177 | Splunk App for Lookup File Editing 4.0 | 4.0.1 | 4.0 and lower | 4.0.1 | | A low-privileged user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory. | Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher. | N/A | Splunk rated the vulnerability as High, 8.1, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. | Torjus Bryne Retterstøl, Binary Security | |
| SVD-2023-0607 | 2023-06-01 | 2023-06-01 | Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream | High | CVE-2023-32713 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 7.8 | CWE-269 | STREAM-5290 | Splunk App for Stream 8.1 | 8.1.1 | 8.1 and lower | 8.1.1 | streamfwd | A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user. | Upgrade the Splunk App for Stream to version 8.1.1 or higher. | * Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix). * Limit user access to the ‘streamfwd’ process by removing all but privileged users' ability to run the process. * Disable the Splunk App for Stream if you do not require it and cannot upgrade it. | Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational. | Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux) | |
| SVD-2023-0606 | 2023-06-01 | 2023-10-18 | Unauthenticated Log Injection in Splunk Enterprise | High | CVE-2023-32712 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 8.6 | CWE-117 | SPL-235259 | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Universal Forwarder 9.1 | 8.2.11.2 9.0.5.1 9.1.0.2 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11.1 9.0.0 to 9.0.5 9.1.0 to 9.1.0.1 8.2.11 and below 9.0.0 to 9.0.5 9.1.0 to 9.1.0.1 | 8.2.11.2 9.0.5.1 9.1.0.2 8.2.12 9.0.6 9.1.1 | - - - REST API REST API REST API | In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations: * The forwarders have been configured to have management services active * The active management services are exposed and accessible from the network By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See [SVD-2022-0605](https://advisory.splunk.com/advisories/SVD-2022-0605) for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. | For Splunk Enterprise, upgrade to version 8.2.11.2, 9.0.5.1, or 9.1.0.2. For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface. Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory. | As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost). For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost. To deactivate remote management services on Universal Forwarder: * In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file on UF, under the [httpServer] stanza, give the `disableDefaultPort` setting a value of `true`, or, under the [general] stanza, give the `allowRemoteLogin` setting a value of `never`. See [Configure universal forwarder management security](https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file, under the [httpServer] stanza, give the `mgmtMode` setting a value of `UDS` (or `default`). | Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for "Attack Vector." In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the "Local" metric. Specifically, the second qualification states the following: _the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)._" The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as "Local" per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application. | STÖK / Fredrik Alexandersson | |
| SVD-2023-0605 | 2023-06-01 | 2023-06-01 | Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View | Medium | CVE-2023-32711 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 | CWE-79 | SPL-234890 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | Splunk Web Splunk Web Splunk Web | A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. This vulnerability does not affect Splunk Cloud Platform instances. | If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web. | Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0604 | 2023-06-01 | 2023-06-01 | Low-privileged User can View Hashed Default Splunk Password | Medium | CVE-2023-32709 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-285 | SPL-235016 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N If the initial admin password has been changed, then there is no impact and the severity is Informational. | Anton (therceman) | |
| SVD-2023-0603 | 2023-06-01 | 2023-06-01 | HTTP Response Splitting via the ‘rest’ SPL Command | High | CVE-2023-32708 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | CWE-113 | SPL-235203 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and lower | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content. | For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances. | For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the 'max_searches_per_process' setting a value of either 1 or 0. For Splunk Cloud Platform, file a support ticket to adjust this configuration setting. | Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. | Danylo Dmytriiev (DDV_UA) | |
| SVD-2023-0602 | 2023-06-01 | 2023-06-01 | ‘edit_user’ Capability Privilege Escalation | High | CVE-2023-32707 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | CWE-285 | SPL-232088 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening. | For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges. | Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. | Mr Hack (try_to_hack) Santiago Lopez | |
| SVD-2023-0601 | 2023-06-01 | 2023-06-01 | Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication | High | CVE-2023-32706 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 7.7 | CWE-611 | SPL-224292 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform 9.0.2303 and below | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | 8.1.0 to 8.1.13 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 9.0.2303.100 | Splunk Web Splunk Web Splunk Web Splunk Web | An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system. | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation. | Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational. | Vikram Ashtaputre, Splunk | |
| SVD-2023-0213 | 2023-02-14 | 2023-02-14 | Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK | Medium | CVE-2023-22943 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 4.8 | CWE-636 | ADDON-58725 | Splunk Add-on Builder 4.1 Splunk CloudConnect SDK 3.1 | 4.1.2 3.1.3 | 4.1.1 and lower 3.1.2 and lower | 4.1.2 3.1.3 | cloudconnectlib - | Chris Green | |||||
| SVD-2023-0212 | 2023-02-14 | 2023-02-14 | Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise | Medium | CVE-2023-22942 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L | 5.4 | CWE-352 | SPL-232619 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.13 8.2.10 9.0.4 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 | 8.1.13 8.2.10 9.0.4 | Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
| SVD-2023-0211 | 2023-02-14 | 2023-02-14 | Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon | Medium | CVE-2023-22941 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 | CWE-248 | SPL-232645 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
| SVD-2023-0210 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise | Medium | CVE-2023-22940 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N | 6.3 | CWE-20 | SPL-232369 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
| SVD-2023-0209 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk Enterprise | High | CVE-2023-22939 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1 | CWE-20 | SPL-230588 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Klevis Luli, Splunk | |||||
| SVD-2023-0208 | 2023-02-14 | 2023-02-14 | Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise | Medium | CVE-2023-22938 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-229337 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2212 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2212 | Splunk Web Splunk Web Splunk Web Splunk Web | James Ervin, Splunk | |||||
| SVD-2023-0207 | 2023-02-14 | 2023-02-14 | Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise | Medium | CVE-2023-22937 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-20 | SPL-229185 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | ||||||
| SVD-2023-0206 | 2023-02-14 | 2023-02-14 | Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk Enterprise | Medium | CVE-2023-22936 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 6.3 | CWE-918 | SPL-228937 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2023-0205 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise | High | CVE-2023-22935 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1 | CWE-20 | SPL-228738 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
| SVD-2023-0204 | 2023-02-14 | 2023-02-14 | SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise | High | CVE-2023-22934 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | 7.3 | CWE-20 | SPL-228734 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
| SVD-2023-0203 | 2023-02-14 | 2023-02-14 | Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise | High | CVE-2023-22933 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 8.0 | CWE-79 | SPL-228264 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0. to 9.0.3 9.0.2208 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2023-0202 | 2023-02-14 | 2023-02-14 | Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise | High | CVE-2023-22932 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N | 8.0 | CWE-79 | SPL-232819 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | - - 9.0.4 9.0.2209.3 | Not affected Not affected 9.0.0 to 9.0.3 9.0.2209 and lower | - - 9.0.4 9.0.2209.3 | - - Splunk Web Splunk Web | Tim Coen (foobar7) | |||||
| SVD-2023-0201 | 2023-02-14 | 2023-02-14 | ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise | Medium | CVE-2023-22931 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 4.3 | CWE-285 | SPL-216628 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 - 8.2.2203 | 8.1.12 and lower 8.2.0 to 8.2.9 Not affected 8.2.2202 and lower | 8.1.13 8.2.10 - 8.2.2203 | Search Search - Search | James Ervin, Splunk | |||||
| SVD-2022-1112 | 2022-11-02 | 2022-11-02 | Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise | High | CVE-2022-43572 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 7.5, High | CWE-400 | SPL-224974 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209.3 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2209 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209.3 | Indexing Indexing Indexing Indexing | ||||||
| SVD-2022-1111 | 2022-11-02 | 2022-11-02 | Remote Code Execution through dashboard PDF generation component in Splunk Enterprise | High | CVE-2022-43571 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-94 | SPL-228720 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-1110 | 2022-11-02 | 2022-11-02 | XML External Entity Injection through a custom View in Splunk Enterprise | High | CVE-2022-43570 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-611 | SPL-228310 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-1109 | 2022-11-02 | 2022-11-02 | Persistent Cross-Site Scripting via a Data Model object name in Splunk Enterprise | High | CVE-2022-43569 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 8.0, High | CWE-79 | SPL-228087 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-1108 | 2022-11-02 | 2022-11-02 | Reflected Cross-Site Scripting via the radio template in Splunk Enterprise | High | CVE-2022-43568 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8, High | CWE-79 | SPL-228379 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2 9.0.2205 | Splunk Web Splunk Web Splunk Web Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-1107 | 2022-11-02 | 2022-11-02 | Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature | High | CVE-2022-43567 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8, High | CWE-502 | SPL-226837 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform Splunk Secure Gateway | 8.1.12 8.2.9 9.0.2 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2 9.0.2205 | Splunk Secure Gateway Splunk Secure Gateway Splunk Secure Gateway Splunk Web | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-1106 | 2022-11-02 | 2022-11-02 | Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk Enterprise | High | CVE-2022-43566 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | 7.3, High | CWE-20 | SPL-223730 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Anton (therceman) | |||||
| SVD-2022-1105 | 2022-11-02 | 2022-11-02 | Risky command safeguards bypass via ‘tstats’ command JSON in Splunk Enterprise | High | CVE-2022-43565 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1, High | CWE-20 | SPL-224121 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2203 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2202 and lower | 8.1.12 8.2.9 9.0.2203 | Search Search Search | Cuong Dong at Splunk | |||||
| SVD-2022-1104 | 2022-11-02 | 2022-11-02 | Denial of Service in Splunk Enterprise through search macros | Medium | CVE-2022-43564 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 4.9, Medium | CWE-400 | SPL-220964 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2205 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2203.4 and lower | 8.1.12 8.2.9 9.0.2205 | REST API REST API REST API | ||||||
| SVD-2022-1103 | 2022-11-02 | 2022-11-11 | Risky command safeguards bypass via 'rex' search command field names in Splunk Enterprise | High | CVE-2022-43563 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | 8.1, High | CWE-20 | SPL-223646 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2203 | 8.1.11 and lower 8.2.0 to 8.2.8 Not affected 9.0.2202 and lower | 8.1.12 8.2.9 9.0.2203 | Search Search Search | Cuong Dong at Splunk | |||||
| SVD-2022-1102 | 2022-11-02 | 2022-11-02 | Host Header Injection in Splunk Enterprise | Low | CVE-2022-43562 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N | 3.0, Low | CWE-20 | SPL-224156 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Ali Mirheidari at Splunk | |||||
| SVD-2022-1101 | 2022-11-02 | 2022-11-02 | Persistent Cross-Site Scripting in “Save Table” Dialog in Splunk Enterprise | Medium | CVE-2022-43561 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H | 6.4, Medium | CWE-79 | SPL-207040 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.12 8.2.9 9.0.2 9.0.2208 | 8.1.11 and lower 8.2.0 to 8.2.7=8 9.0.0 to 9.0.1 9.0.2205 and lower | 8.1.12 8.2.9 9.0.2 9.0.2208 | Splunk Web Splunk Web Splunk Web Splunk Web | Mr Hack (try_to_hack) | |||||
| SVD-2022-0803 | 2022-08-16 | 2022-08-16 | Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring input | Medium | CVE-2022-37439 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 5.5 | CWE-409 | TBD | Universal Forwarder 8.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.11 8.2.7.1 - 8.1.11 8.2.7.1 - | 8.1.10 and lower 8.2.0 to 8.2.7 Not affected 8.1.10 and lower 8.2.0 to 8.2.7 Not affected | 8.1.11 8.2.7.1 - 8.1.11 8.2.7.1 - | Monitor Processor Monitor Processor - Monitor Processor Monitor Processor - | Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC) | |||||
| SVD-2022-0802 | 2022-08-16 | 2022-08-16 | Information disclosure via the dashboard drilldown in Splunk Enterprise | Low | CVE-2022-37438 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N | 2.6 | CWE-200 | SPL-221531 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.11 8.2.7.1 9.0.1 9.0.2205 | 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.2.2203.4 and lower | 8.1.11 8.2.7.1 9.0.1 9.0.2205 | Splunk Web Splunk Web Splunk Web Splunk Web | Eric LaMothe at Splunk | |||||
| SVD-2022-0801 | 2022-08-16 | 2022-08-16 | Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation | High | CVE-2022-37437 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-224209 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | - - 9.0.1 | Not affected Not affected 9.0.0 | - - 9.0.1 | - - Ingest Actions | Eric LaMothe at Splunk Ali Mirheidari at Splunk | |||||
| SVD-2022-0608 | 2022-08-16 | 2022-07-18 | Splunk Enterprise deployment servers allow client publishing of forwarder bundles | Critical | CVE-2022-32158 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.0 | CWE-284 | SPL-176829 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.10.1 8.2.6.1 - | Versions before 8.1.10.1 8.2.0 to 8.2.6 Not affected | 8.1.10.1 8.2.6.1 - | Deployment Server Deployment Server - | Nadim Taha at Splunk | |||||
| SVD-2022-0607 | 2022-08-16 | 2022-07-18 | Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloads | High | CVE-2022-32157 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 7.5 | CWE-306 | SPL-176828 | Splunk Enterprise 9.0 | 9.0.0 | Versions before 9.0 | 9.0.0 | Deployment Server | Nadim Taha at Splunk Paul Schultze at E.ON Digital Technology GmbH Martin Müller at Consist | |||||
| SVD-2022-0606 | 2022-06-14 | 2022-07-18 | Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validation | High | CVE-2022-32156 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-49451 | Splunk Enterprise 9.0 Universal Forwarder 9.0 | 9.0.0 9.0.0 | Versions before 9.0 Versions before 9.0 | 9.0.0 9.0.0 | - - | Chris Green at Splunk | |||||
| SVD-2022-0605 | 2022-06-14 | 2022-06-14 | Universal Forwarder management services allow remote login by default | Info | CVE-2022-32155 | - | - | - | SPL-140396 | Universal Forwarder 9.0 | 9.0.0 | Versions before 9.0 | 9.0.0 | - | Chris Green at Splunk | |||||
| SVD-2022-0604 | 2022-06-14 | 2022-07-18 | Risky commands warnings in Splunk Enterprise dashboards | Medium | CVE-2022-32154 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | 6.8 | CWE-20 | SPL-201816 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.1.2106 | Versions before 9.0 Versions before 8.1.2106 | 9.0.0 8.1.2106 | - - | Chris Green at Splunk Danylo Dmytriiev (DDV_UA) Anton (therceman) | |||||
| SVD-2022-0603 | 2022-06-14 | 2022-07-18 | Splunk Enterprise lacked TLS host name certificate validation | High | CVE-2022-32153 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-297 | SPL-202894 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
| SVD-2022-0602 | 2022-06-14 | 2022-07-18 | Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by default | High | CVE-2022-32152 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-295 | SPL-114067, SPL-138957 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
| SVD-2022-0601 | 2022-06-14 | 2022-07-18 | Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by default | High | CVE-2022-32151 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 7.4 | CWE-295 | SPL-173641, SPL-129677 | Splunk Enterprise 9.0 Splunk Cloud Platform - | 9.0.0 8.2.2203 | Versions before 9.0 Versions before 8.2.2203 | 9.0.0 8.2.2203 | - - | Chris Green at Splunk | |||||
| SVD-2022-0507 | 2022-05-03 | 2022-05-03 | Error message discloses internal path | Medium | CVE-2022-26070 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 | CWE-200 | SPL-180503 | Splunk Enterprise 8.1 | 8.1.0 | Versions below 8.1 | 8.1.0 | Splunk Web | Dipak Prajapati (Lethal) | |||||
| SVD-2022-0506 | 2022-05-03 | 2022-05-03 | Path Traversal in search parameter results in external content injection | High | CVE-2022-26889 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8 | CWE-20 | SPL-197247 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.2 - | 8.1.1 and earlier Not affected | 8.1.2 - | Splunk Web - | Jason Tsang Mui Chung | |||||
| SVD-2022-0505 | 2022-05-03 | 2022-05-03 | Reflected XSS in a query parameter of the Monitoring Console | High | CVE-2022-27183 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 8.8 | CWE-79 | SPL-201205 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.4 - | 8.1.3 and earlier Not affected | 8.1.4 - | Splunk Monitoring Console - | Danylo Dmytriiev (DDV_UA) | |||||
| SVD-2022-0504 | 2022-05-03 | 2022-05-03 | Bypass of Splunk Enterprise's implementation of DUO MFA | High | CVE-2021-26253 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 8.1 | CWE-287 | SPL-172887 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.6 - | 8.1.5 and earlier Not affected | 8.1.6 - | - - | Sanket Bhimani | |||||
| SVD-2022-0503 | 2022-05-03 | 2022-05-03 | S2S TcpToken authentication bypass | High | CVE-2021-31559 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 7.5 | CWE-288 | SPL-203370 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.5 8.2.1 | 8.1.4 and earlier 8.2.0 | 8.1.5 8.2.1 | - - | Chris Samley at GE | |||||
| SVD-2022-0502 | 2022-05-03 | 2022-05-03 | Username enumeration through lockout message in REST API | Medium | CVE-2021-33845 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 5.3 | CWE-203 | SPL-194168 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.7 - | 8.1.6 and earlier Not affected | 8.1.7 - | - - | Kyle Bambrick at Splunk | |||||
| SVD-2022-0501 | 2022-05-03 | 2022-05-03 | Local privilege escalation via a default path in Splunk Enterprise Windows | High | CVE-2021-42743 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.8 | CWE-427 | SPL-195186 | Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 8.1.1 - | 8.1.0 and earlier Not affected | 8.1.1 - | - - | ||||||
| SVD-2022-0301 | 2022-03-24 | 2022-05-03 | Indexer denial-of-service via malformed S2S request | High | CVE-2021-3422 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 | CWE-125 | SPL-198396 | Splunk Enterprise 7.3 Splunk Enterprise 8.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 | 7.3.9 8.0.9 8.1.3 - | 7.3.8 and earlier 8.0.0 to 8.0.8 8.1.0 to 8.1.2 Not affected | 7.3.9 8.0.9 8.1.3 - | - - - - | Sharon Brizinov and Tal Keren of Claroty |
Third-Party Bulletins
Third-Party Bulletins announce security patches for third-party software. Splunk publishes Third-Party Bulletins at the same time as Security Advisories.
| SVD | Date | Last Modified | Title | Severity | CVE | CVSS Vector | CVSS Score | CWE | Bug | Affected Products | Fixed Versions | Affected Versions | All Affected Versions | Affected Components | Description | Solution | Mitigations | Severity Summary | OSS | Credit |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SVD-2023-1107 | 2023-11-16 | 2023-11-20 | November 2023 Splunk Universal Forwarder Third-Party Updates | - | - | - | - | - | Splunk Universal Forwarder 9.0 Splunk Universal Forwarder 9.1 | 9.0.7 9.1.2 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 | 9.0.7 9.1.2 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 9.0.7 or 9.1.2. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2022-31799 - bottle - Upgraded to 0.12.25 - CVE-2023-24329 - python - Upgraded to 3.7.17 - CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - | ||
| SVD-2023-1106 | 2023-11-16 | 2023-11-16 | November 2023 Third-Party Package Updates in Splunk Enterprise | - | - | - | - | - | Splunk Cloud - | 9.1.2308 | Below 9.1.2308 | 9.1.2308 | Splunk Web | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 9.1.2308 of Splunk Enterprise Cloud. | Splunk is actively upgrading and monitoring instances of Splunk Enterprise Cloud. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2022-31799 - bottle - Upgraded to 0.12.25 - CVE-2023-24329 - python - Upgraded to 3.7.17 - CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - | ||
| SVD-2023-1105 | 2023-11-16 | 2023-11-16 | November 2023 Third Party Package updates in Splunk Enterprise | - | - | - | - | - | Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 9.0.7 9.1.2 | 9.0.0 to 9.0.6 9.1.0 to 9.1.1 | 9.0.7 9.1.2 | Splunk Web Splunk Web | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2021-22570 - protobuf - Upgraded to 3.15.8 - CVE-2022-31799 - bottle - Upgraded to 0.12.25 - CVE-2023-24329 - python - Upgraded to 3.7.17 - CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - | ||
| SVD-2023-1102 | 2023-11-16 | 2023-11-16 | Third Party Package Update in Splunk Add-on for Google Cloud Platform | Critical | - | - | - | - | Splunk Add-on for Google Cloud Platform - | 4.3.0 | Below 4.3.0 | 4.3.0 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 4.3.0 of Splunk Add-on for Google Cloud Platform. | For Splunk Add-on for Google Cloud Platform, upgrade versions to 4.3.0 or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical CVE-2023-45803 - urllib3 - Upgraded to 1.26.18 - Medium CVE-2023-43804 - urllib3 - Upgraded to 1.26.18 - High CVE-2023-44270 - postcss - Upgraded to 8.4.31 - Medium CVE-2022-25883 - semver - Upgraded to 6.3.1 and 7.5.4 - High | ||
| SVD-2023-1101 | 2023-11-16 | 2023-11-16 | Third Party Package Update in Splunk Add-on for Amazon Web Services | Critical | - | - | - | - | Splunk Add-on for Amazon Web Services - | 7.2.0 | Below 7.2.0 | 7.2.0 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 7.2.0 of Splunk Add-on for Amazon Web Services, including the following: | Upgrade the Splunk Add-on for Amazon Web Services to version 7.2.0 or higher. | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical | ||
| SVD-2023-1001 | 2023-10-06 | 2023-10-06 | Splunk Statement on CVE-2023-4863 libwebp Vulnerability | Informational | - | - | - | - | In early September 2023, Google disclosed a High-rated vulnerability, CVE-2023-4863, that affects Google Chrome and the libwebp library, which is part of the WebP image codec. Splunk has determined that CVE-2023-4863 does not affect Splunk products. If you have a product in your environment that CVE-2023-4863 does affect, upgrade the product per the recommendations from the product vendor. | None. CVE-2023-4863 does _not_ affect Splunk products. | None | Informational | CVE-2023-4863 - libwebp - Not affected - Informational | |||||||
| SVD-2023-0811 | 2023-08-30 | 2023-08-30 | Third Party Package Updates in IT Service Intelligence (ITSI) | High | - | - | - | - | Splunk ITSI 4.15 Splunk ITSI 4.13 | 4.15.3 4.13.3 | 4.15.0 to 4.15.2 4.13.0 to 4.13.2 | 4.15.3 4.13.3 | - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk IT Service Intelligence (ITSI), including the following: | For Splunk IT Service Intelligence (ITSI), upgrade versions to 4.13.3 or 4.15.3 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2023-2976 - guava - Upgraded to 32.0.0 - High | ||
| SVD-2023-0809 | 2023-08-30 | 2023-08-30 | August Third Party Package Updates in Splunk Universal Forwarder | High | - | - | - | - | Universal Forwarder 8.2 Universal Forwarder 9.0 Universal Forwarder 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 8.2.12, 9.0.6, or 9.1.1 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2021-30560 - libxslt - Patched - High CVE-2021-30560 - libxslt - Patched - High CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27536 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27535 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27534 - curl - Upgraded to 8.0.1 - High CVE-2023-27533 - curl - Upgraded to 8.0.1 - High CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium CVE-2022-43551 - curl - Upgraded to 8.0.1 - High CVE-2022-42916 - curl - Upgraded to 8.0.1 - High CVE-2022-42915 - curl - Upgraded to 8.0.1 - High CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27782 - curl - Upgraded to 8.0.1 - High CVE-2022-27781 - curl - Upgraded to 8.0.1 - High CVE-2022-27780 - curl - Upgraded to 8.0.1 - High CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27778 - curl - Upgraded to 8.0.1 - High CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27775 - curl - Upgraded to 8.0.1 - High CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium CVE-2022-22576 - curl - Upgraded to 8.0.1 - High CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22946 - curl - Upgraded to 8.0.1 - High CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical CVE-2021-22926 - curl - Upgraded to 8.0.1 - High CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22901 - curl - Upgraded to 8.0.1 - High CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium CVE-2020-8286 - curl - Upgraded to 8.0.1 - High CVE-2020-8285 - curl - Upgraded to 8.0.1 - High CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low CVE-2020-8231 - curl - Upgraded to 8.0.1 - High CVE-2020-8177 - curl - Upgraded to 8.0.1 - High CVE-2020-8169 - curl - Upgraded to 8.0.1 - High CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High | ||
| SVD-2023-0808 | 2023-08-30 | 2023-11-16 | August 2023 Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Enterprise 9.1 | 8.2.12 9.0.6 9.1.1 | 8.2.0 to 8.2.11 9.0.0 to 9.0.5 9.1.0 | 8.2.12 9.0.6 9.1.1 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 8.2.12, 9.0.6, or 9.1.1 | N/A | For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. | CVE-2022-38900 - decode-uri-component - Upgraded to 6.0.0 - High CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High CVE-2022-31129 - moment - Upgraded to 2.29.4 - High CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High CVE-2022-24999 - qs - Upgraded to 6.5.3 - High CVE-2022-25881 - http-cache-semantics - Upgraded to 4.1.1 - High CVE-2022-42003 - jackson-databind - Upgraded to 2.13.5 - High CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High CVE-2021-41182 - jquery-ui - Upgraded to 1.13.2 - Medium CVE-2021-41183 - jquery-ui - Upgraded to 1.13.2 - Medium CVE-2021-41184 - jquery-ui - Upgraded to 1.13.2 - Medium CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical CVE-2022-40023 - mako - Patched - High CVE-2022-40023 - mako - Upgraded to 1.2.4 - High CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High Multiple - curl - Upgraded to 8.0.1 - High Multiple - go - Updated golang in mongotools - Critical | ||
| SVD-2023-0701 | 2023-07-17 | 2023-07-17 | Splunk SOAR Cryptography Python Package Upgrade Incompatibility | Informational | - | - | - | - | Splunk SOAR (On-premises) 6.1 Splunk SOAR (Cloud) 6.1 | 6.1.1 6.1.1 | 6.1.1 and above 6.1.1 and above | 6.1.1 6.1.1 | Custom Apps Custom Apps | In Splunk Security Orchestration, Automation and Response (SOAR) version 6.1.1, Splunk upgraded the Python cryptography library within the app to version 41.0.1. This version of the cryptography library may cause Python module import problems during execution, if a specific version of the library is used for a custom app. The problem occurs when the cryptography library that you specify as a dependency for your custom app is a version that is lower than or equal to version 39.0.1. | To address the incompatibility, specify a version of the library package on your custom app dependency to a version that is higher than 39.0.1. For more information on how to create a custom app using the SOAR App Wizard, see [Create an app with the App Wizard](https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/CreateAnAppWithTheAppEditor) in the Splunk SOAR documentation. | N/A | N/A | CVE-2023-23931 - Cryptography, Python - Upgraded to 41.0.1 - Medium CVE-2023-0286 - Cryptography, Python - Upgraded to 41.0.1 - High | ||
| SVD-2023-0615 | 2023-06-01 | 2023-06-01 | June Third Party Package Updates in Splunk Cloud | High | - | - | - | - | Splunk Cloud | 9.0.2303.100 | 9.0.2303 and lower | 9.0.2303.100 | - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Cloud, including the following: | For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High CVE-2022-40304 - libxml2 - Patched - High CVE-2022-23491 - certifi - Upgraded to 2022.12.7 - High CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium | ||
| SVD-2023-0614 | 2023-06-01 | 2023-06-01 | June Third Party Package Updates in Splunk Universal Forwarders | Critical | - | - | - | - | Universal Forwarders 8.1 Universal Forwarders 8.2 Universal Forwarders 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.13 and Lower 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Universal Forwarder, including the following: | For Splunk Universal Forwarder, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High CVE-2022-40304 - libxml2 - Patched - High CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical CVE-2023-27535 - curl - Upgraded to 8.0.1 - High CVE-2023-27534 - curl - Upgraded to 8.0.1 - High CVE-2023-27533 - curl - Upgraded to 8.0.1 - High CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium CVE-2022-43551 - curl - Upgraded to 8.0.1 - High CVE-2022-42916 - curl - Upgraded to 8.0.1 - High CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27782 - curl - Upgraded to 8.0.1 - High CVE-2022-27781 - curl - Upgraded to 8.0.1 - High CVE-2022-27780 - curl - Upgraded to 8.0.1 - High CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27778 - curl - Upgraded to 8.0.1 - High CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27775 - curl - Upgraded to 8.0.1 - High CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium CVE-2022-22576 - curl - Upgraded to 8.0.1 - High CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22946 - curl - Upgraded to 8.0.1 - High CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical CVE-2021-22926 - curl - Upgraded to 8.0.1 - High CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22901 - curl - Upgraded to 8.0.1 - High CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium CVE-2020-8286 - curl - Upgraded to 8.0.1 - High CVE-2020-8285 - curl - Upgraded to 8.0.1 - High CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low CVE-2020-8231 - curl - Upgraded to 8.0.1 - High CVE-2020-8177 - curl - Upgraded to 8.0.1 - High CVE-2020-8169 - curl - Upgraded to 8.0.1 - High CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High CVE-2018-25032 - zlib - Applied patch - High CVE-2022-37434 - zlib - Applied patch - Critical | ||
| SVD-2023-0613 | 2023-06-01 | 2023-06-01 | June Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 | 8.1.14 8.2.11 9.0.5 | 8.1.13 and Lower 8.2.0 to 8.2.10 9.0.0 to 9.0.4 | 8.1.14 8.2.11 9.0.5 | - - - | Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following: | For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. | N/A | For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. | CVE-2022-40303 - libxml2 - Patched - High CVE-2022-40304 - libxml2 - Patched - High CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical CVE-2023-27535 - curl - Upgraded to 8.0.1 - High CVE-2023-27534 - curl - Upgraded to 8.0.1 - High CVE-2023-27533 - curl - Upgraded to 8.0.1 - High CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium CVE-2022-43551 - curl - Upgraded to 8.0.1 - High CVE-2022-42916 - curl - Upgraded to 8.0.1 - High CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27782 - curl - Upgraded to 8.0.1 - High CVE-2022-27781 - curl - Upgraded to 8.0.1 - High CVE-2022-27780 - curl - Upgraded to 8.0.1 - High CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27778 - curl - Upgraded to 8.0.1 - High CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium CVE-2022-27775 - curl - Upgraded to 8.0.1 - High CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium CVE-2022-22576 - curl - Upgraded to 8.0.1 - High CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22946 - curl - Upgraded to 8.0.1 - High CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical CVE-2021-22926 - curl - Upgraded to 8.0.1 - High CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22901 - curl - Upgraded to 8.0.1 - High CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium CVE-2020-8286 - curl - Upgraded to 8.0.1 - High CVE-2020-8285 - curl - Upgraded to 8.0.1 - High CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low CVE-2020-8231 - curl - Upgraded to 8.0.1 - High CVE-2020-8177 - curl - Upgraded to 8.0.1 - High CVE-2020-8169 - curl - Upgraded to 8.0.1 - High CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High CVE-2018-25032 - zlib - Applied patch - High CVE-2022-37434 - zlib - Applied patch - Critical CVE-2020-15138 - prismjs - Upgraded to 1.2.9 - High CVE-2022-37616 - xmldom - Upgraded to 0.7.9 - Critical CVE-2022-23491 - certifi - Upgraded to 2022.12.7 - High CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High CVE-2022-46175 - json5 - Upgraded to 2.2.3 - High CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High CVE-2022-31129 - moment - Upgraded to 2.29.4 - High CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High CVE-2021-23368 - postcss - Upgraded to 7.0.36 - Medium CVE-2021-23382 - postcss - Upgraded to 7.0.36 - High CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High CVE-2022-24999 - qs - Upgraded to 6.5.3 - High CVE-2020-7753 - ssri - Uppgraded to 6.0.2 - High CVE-2022-25858 - terser - Upgraded to 4.8.1 - High CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High CVE-2020-7753 - trim - Upgraded to 0.0.3 - High CVE-2021-33587 - css-what - Upgraded to 5.0.1 - High CVE-2020-8116 - dot-prop - Upgraded to 4.2.1 - High CVE-2020-13822 - elliptic - Upgraded to 6.5.4 - High CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium CVE-2022-4200 - jackson-databind - Upgraded to 2.13.5 - Medium CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High CVE-2023-1370 - json-smart - Upgraded to 2.4.9 - High CVE-2019-20149 - kind-of - Upgraded to 6.0.3 - High CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical CVE-2020-8203 - lodash - Upgraded to 4.17.21 - High CVE-2019-10744 - lodash-es - Upgraded to 4.17.21 - Critical CVE-2022-40023 - mako - Upgraded to 1.2.4 - High CVE-2019-10746 - mixin-deep - Upgraded to 1.3.2 - Critical CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High CVE-2021-33502 - normalize-url - Upgraded to 6.1.0 - High CVE-2021-27292 - ua-parser-js - Upgraded to 0.7.35 - High CVE-2021-33503 - urllib3 - Upgraded to 1.26.6 - High CVE-2020-7662 - websocket-extensions - Upgraded to 0.1.4 - High CVE-2020-7774 - y18n - Upgraded to 4.0.3 - Critical CVE-2022-23806 - go, crypto/elliptic - Upgraded go to 1.2 - Critical CVE-2022-23772 - go, math/big - Upgraded go to 1.2 - High CVE-2021-43565 - go, x/crypto - Upgraded go to 1.2 - High CVE-2022-30580 - go, os/exec - Upgraded go to 1.2 - High CVE-2022-30633 - go, encoding/xml - Upgraded go to 1.2 - High CVE-2022-28131 - go, encoding/xml - Upgraded go to 1.2 - High CVE-2022-30632 - go, path/filepath - Upgraded go to 1.2 - High CVE-2022-41716 - go - Upgraded go to 1.2 - High CVE-2022-28327 - go, crypto/elliptic - Upgraded go to 1.2 - High CVE-2022-24921 - go - Upgraded go to 1.2 - High CVE-2022-30630 - go, io/fs - Upgraded go to 1.2 - High CVE-2022-27191 - go, crypto/ssh - Upgraded go to 1.2 - High CVE-2022-23773 - go, cmd/go - Upgraded go to 1.2 - High CVE-2022-30634 - go, crypto/rand - Upgraded go to 1.2 - High CVE-2022-41715 - go - Upgraded go to 1.2 - High CVE-2022-24675 - go, encoding/pem - Upgraded go to 1.2 - High CVE-2022-41720 - go - Upgraded go to 1.2 - High CVE-2022-27664 - go, net/http - Upgraded go to 1.2 - High CVE-2022-2880 - go, net/http - Upgraded go to 1.2 - High CVE-2022-29804 - go, path/filepath - Upgraded go to 1.2 - High CVE-2022-32189 - go, math/big - Upgraded go to 1.2 - High CVE-2022-30635 - go, encoding/gob - Upgraded go to 1.2 - High CVE-2022-30631 - go, compress/gzip - Upgraded go to 1.2 - High CVE-2022-2879 - go - Upgraded go to 1.2 - High CVE-2022-1705 - go, net/http - Upgraded go to 1.2 - Medium CVE-2022-1962 - go, go/parse - Upgraded go to 1.2 - Medium CVE-2022-29526 - go, sys - Upgraded go to 1.2 - Medium CVE-2022-32148 - go, net/http - Upgraded go to 1.2 - Medium CVE-2022-30629 - go, crypto/tls - Upgraded go to 1.2 - Low CVE-2017-16042 - Growl - Upgraded to 1.10.5 - Critical CVE-2021-20095 - Babel - Upgraded to 2.9.1 - Medium | ||
| SVD-2023-0215 | 2023-02-14 | 2023-02-14 | February Third Party Package Updates in Splunk Enterprise | High | - | - | - | - | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | 8.1.12 and lower 8.2.0 to 8.2.9 9.0.0 to 9.0.3 9.0.2209 and lower | 8.1.13 8.2.10 9.0.4 9.0.2209.3 | - - - - | CVE-2021-21419 - Python 2.7, eventlet - Upgraded to 2.7.18.4 - Informational CVE-2021-28957 - Python 2.7, lxml - Upgraded to 2.7.18.4 - Medium CVE-2022-24785 - Moment.js - Upgraded to 2.29.4 - High CVE-2022-31129 - Moment.js - Upgraded to 2.29.4 - High CVE-2022-32212 - Node.js - Applied patch - High CVE-2015-20107 - Python 3.7 - Applied patch - Informational CVE-2021-3517 - Libxml2 - Applied patch - High CVE-2021-3537 - Libxml2 - Applied patch - Medium CVE-2021-3518 - Libxml2 - Applied patch - High | ||||||
| SVD-2023-0214 | 2023-02-14 | 2023-02-14 | Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell) | Informational | - | - | - | - | CVE-2022-42889 - - - | |||||||||||
| SVD-2022-1113 | 2022-11-02 | 2023-02-14 | November Third Party Package updates in Splunk Enterprise | High | Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform - | 8.1.12 8.2.9 9.0.2 9.0.2209 | 8.1.11 and lower 8.2.0 to 8.2.8 9.0.0 to 9.0.1 9.0.2208 and lower | 8.1.12 8.2.9 9.0.2 9.0.2209 | - - - - | CVE-2020-36518 - jackson-databind - Upgraded to 2.13.2.1 - High CVE-2021-32036 - mongodb - Updgraded to 4.2.19 or 4.2.17-v4 - Medium | ||||||||||
| SVD-2022-1114 | 2022-11-01 | 2022-11-01 | Splunk’s response to OpenSSL’s CVE-2022-3602 and CVE-2022-3786 | High | Splunk Enterprise Universal Forwarders Splunk Cloud Platform Splunk Observatibility Platform SOAR Cloud SOAR SOAR Automation Broker Enterprise Security Splunk Security Essentials IT Service Intelligence Splunk UBA Data Stream Processor Splunk Addon for Active Directory Splunk Addon for Add-on for Infrastructure Splunk Addon for Add-on for Microsoft Exchange Splunk Addon for Add-on for VMware Splunk Addon for Amazon Kinesis Firehose Splunk Addon for Amazon Web Services Splunk Addon for Apache Web Server Splunk Addon for Bit9 Carbon Black Splunk Addon for Blue Coat ProxySG Splunk Addon for BMC Remedy Splunk Addon for Box Splunk Addon for Bromium Splunk Addon for Check Point OPSEC LEA Splunk Addon for Cisco ASA Splunk Addon for Cisco ESA Splunk Addon for Cisco FireSIGHT Splunk Addon for Cisco Identity Services Splunk Addon for Cisco UCS Splunk Addon for Citrix NetScaler Splunk Addon for CyberArk Splunk Addon for F5 BIG-IP Splunk Addon for Forcepoint Web Security Splunk Addon for Google Cloud Platform Splunk Addon for HAProxy Splunk Addon for IBM WebSphere Application Server Splunk Addon for Imperva SecureSphere WAF Splunk Addon for Infoblox Splunk Addon for ISC BIND Splunk Addon for ISC DHCP Splunk Addon for Java Management Extensions Splunk Addon for JBoss Splunk Addon for Juniper Splunk Addon for Kafka Splunk Addon for Linux Splunk Addon for McAfee Splunk Addon for McAfee Web Gateway Splunk Addon for Microsoft Cloud Services Splunk Addon for Microsoft Hyper-V Splunk Addon for Microsoft IIS Splunk Addon for Microsoft Office 365 Splunk Addon for Microsoft SQL Server Splunk Addon for Microsoft Windows Splunk Addon for MySQL Splunk Addon for Nagios Core Splunk Addon for NGINX Splunk Addon for OPC Splunk Addon for Oracle Database Splunk Addon for OSSEC Splunk Addon for RSA DLP Splunk Addon for RSA SecurID Splunk Addon for Salesforce Splunk Addon for ServiceNow Splunk Addon for Sophos Splunk Addon for Squid Proxy Splunk Addon for Stream Addon for Wire Data Splunk Addon for Symantec DLP Splunk Addon for Symantec Endpoint Protection Splunk Addon for Tomcat Splunk Addon for Unix and Linux Splunk Addon for Websense DLP Splunk Addon for Zeek Splunk App for AWS Splunk App for Common Information Model (CIM) Splunk App for DB Connect Splunk App for DB Connect - Older Unsupported versions Splunk App for Info Sec Splunk App for InfoSec App for Splunk Splunk App for Infrastructure Splunk App for IT Essentials Learn Splunk App for IT Essentials Work Splunk App for Machine Learning Toolkit (MLTK) and Python for Scientific Computing (PSC) Splunk App for Microsoft Exchange Splunk App for NetApp Data ONTAP Splunk App for PCI Compliance Splunk App for Security Essentials Splunk App for Splunk Product Guidance Splunk App for Stream Splunk App for Unix and Linux Splunk App for VMware Splunk App for Windows Splunk App for Windows Infrastructure Splunk Add-on Builder Splunk AppInspect Splunk SDKs Splunk Logging Library for Java Security Analytics for AWS Splunk Add-on for VMware Metrics Splunk App for Content Packs Splunk App for Infrastructure (SAI) Splunk App for Mint Splunk Application Performance Monitoring Splunk Assist Splunk Augmented Reality Splunk Cloud Data Manager (SCDM) Splunk Cloud Developer Edition Splunk Connect for Kafka Splunk Connect for Kubernetes Splunk Connect for Kubernetes-OpenTelemetry Splunk Connect for SNMP Splunk Connect for Syslog Splunk DB TA LAR Splunk Edge Hub Splunk Enterprise Amazon Machine Image (AMI) Splunk Enterprise Docker Container Splunk Infrastructure Monitoring Splunk Log Observer Splunk Mint Android SDK Splunk Mint IOS SDK Splunk Mint Management console Splunk Mobile Splunk Network Performance Monitoring Splunk On-Call/Victor Ops/SSA Splunk OVA for VMware Splunk OVA for VMWare Metrics Splunk Profiling Splunk Real User Monitoring Splunk Secure Gateway Behavioral Analytics Splunk Stream Forwarder Splunk Synthetics Splunk TV Splunk UBA OVA Software Splunk VMWare OVA for ITSI | | Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected Not affected | | | CVE-2022-3602 - OpenSSL - NA - High CVE-2022-3786 - OpenSSL - NA - High | ||||||||||
| SVD-2022-0804 | 2022-08-16 | 2023-03-08 | August Third Party Package updates in Splunk Enterprise and Universal Forwarders | Medium | Universal Forwarder 8.1 Universal Forwarder 8.2 Universal Forwarder 9.0 Splunk Enterprise 8.1 Splunk Enterprise 8.2 Splunk Enterprise 9.0 Splunk Cloud Platform | 8.1.11 8.2.7.1 9.0.1 8.1.11 8.2.7.1 9.0.1 9.0.2205 | 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.1.10 and lower 8.2.0 to 8.2.7 9.0.0 8.2.2203.4 and lower | 8.1.11 8.2.7.1 9.0.1 8.1.11 8.2.7.1 9.0.1 9.0.2205 | - - - - - - - | CVE-2022-2068 - OpenSSL1.0.2 - Upgraded to OpenSSL 1.0.2zf - Informational CVE-2021-3541 - libxml2 - Applied patch - Medium CVE-2022-29824 - libxml2 - Applied patch - Medium CVE-2022-23308 - libxml2 - Applied patch - Informational | ||||||||||
| SVD-2021-1201 | 2021-12-10 | 2022-01-07 | Splunk Security Advisory for Apache Log4j (CVE-2021-44228, CVE-2021-45046 and others) | Critical | CVE-2021-44228 - - - CVE-2021-45046 - - - |
Policy on information provided in Critical Security Alert and Security Patch Updates
Splunk continuously monitors for vulnerabilities through scans, offensive exercises such as penetration and application security testing, and reports from employees or external vendors or researchers. Splunk follows industry best practices to discover and remedy vulnerabilities. To report a security vulnerability, visit the Security Vulnerability Submission Portal.
Splunk does not provide additional information about the specifics of vulnerabilities beyond what it discloses in a Security Advisory. Splunk does not distribute active exploit code (for example, proof of concept code) for vulnerabilities in its products.
Applicability of Security Advisories
Splunk teams regularly evaluate security advisories from outside vendors as they become available and apply the relevant patches in accordance with applicable change management processes.
Customers that require additional information that a Security Advisory does not address can visit the Support Portal and submitting a New Case.