Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments

Advisory ID: SVD-2024-0101

CVE ID: CVE-2024-22164

Published: 2024-01-09

Last Update: 2024-01-10

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-400

Bug ID: SOLNESS-35980


In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the investigation. The attachment endpoint does not properly limit the size of the request, which lets an attacker cause the investigation to become inaccessible.
The vulnerability requires the authenticated, collaborator access to the Investigation and only affects the availability of an affected Investigation.


Upgrade Splunk Enterprise Security (ES) to versions 7.1.2, 7.2.0, 7.3.0 or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise Security (ES)7.3--7.3.0
Splunk Enterprise Security (ES)7.2--7.2.0
Splunk Enterprise Security (ES)7.1-Below

Mitigations and Workarounds




Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.


Vikram Ashtaputre, Splunk