Sensitive Information Disclosure of Index Metrics through “mrollup” SPL Command
Advisory ID: SVD-2024-0106
CVE ID: CVE-2024-23676
Published: 2024-01-22
Last Update: 2024-01-23
CVSSv3.1 Score: 4.6, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-20
Bug ID: SPL-245947
Description
In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit. See Splunk Enterprise Metrics for information on Metrics.
Solution
Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.7 | 9.0.8 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.2 | 9.1.3 |
| Splunk Cloud | - | Splunk Web | Versions below 9.1.2308.200 | 9.1.2308.200 |
Mitigations and Workarounds
If users do not log in to Splunk Web in a distributed environment, disable Splunk Web on those instances. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
If users do not need access to metrics indexes, remove authorization to search those indexes. See About configuring role-based user access for information on how to configure role-based user access.
Detections
Severity
Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
Acknowledgments
Anton (therceman)