Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring input

Advisory ID: SVD-2022-0803

CVE ID: CVE-2022-37439

Published: 2022-08-16

Last Update: 2022-08-16

CVSSv3.1 Score: 5.5, Medium

CWE: CWE-409



In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file. The vulnerability does not affect Splunk Enterprise 9.0 or higher.


For Splunk Enterprise and Universal Forwarder customers, upgrade versions to 8.1.11,, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Universal Forwarder8.1Monitor Processor8.1.10 and lower8.1.11
Universal Forwarder8.2Monitor Processor8.2.0 to
Universal Forwarder9.0-Not affected-
Splunk Enterprise8.1Monitor Processor8.1.10 and lower8.1.11
Splunk Enterprise8.2Monitor Processor8.2.0 to
Splunk Enterprise9.0-Not affected-

Mitigations and Workarounds



This search lets an operator retroactively identify potential Splunk app crashes resulting from SVD-2022-0803. It is not possible to detect the attack before a crash using this method. The provided search indicates Universal Forwarder errors from uploaded binary or compressed ZIP files, which this attack uses. Consider any results from this search for further research to determine if a malformed ZIP file caused the crash (noting that the file extension might have been altered).


Splunk rates the vulnerability as Medium. The prerequisites require local privileged access to write to a monitored directory that is not restricted to the Splunk, system, or root user. Hence, Splunk rates the vulnerability as 5.5 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

If your Splunk Enterprise instance monitors only the default directories that the $SPLUNK_HOME/etc/system/default/inputs.conf configuration file defines, then the instance is not affected and the vulnerability is informational. In addition, the vulnerability is informational if the filesystem privileges required to write to the monitored directories are root, system or the Splunk user.


Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC)