Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments

Advisory ID: SVD-2024-0101

CVE ID: CVE-2024-22164

Published: 2024-01-09

Last Update: 2024-01-10

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-400

Bug ID: SOLNESS-35980

DescriptionPermalink

In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the investigation. The attachment endpoint does not properly limit the size of the request, which lets an attacker cause the investigation to become inaccessible.
The vulnerability requires the authenticated, collaborator access to the Investigation and only affects the availability of an affected Investigation.

SolutionPermalink

Upgrade Splunk Enterprise Security (ES) to versions 7.1.2, 7.2.0, 7.3.0 or higher.

Product StatusPermalink

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise Security (ES)7.3--7.3.0
Splunk Enterprise Security (ES)7.2--7.2.0
Splunk Enterprise Security (ES)7.1-Below 7.1.27.1.2

Mitigations and WorkaroundsPermalink

N/A

DetectionsPermalink

SeverityPermalink

Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

AcknowledgmentsPermalink

Vikram Ashtaputre, Splunk