Remote Code Execution (RCE) through an external lookup due to ““ script in the “splunk_archiver“ application in Splunk Enterprise

Advisory ID: SVD-2024-0705

CVE ID: CVE-2024-36985

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 8.8, High

CWE: CWE-687

Bug ID: VULN-8937


In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.

The “splunk_archiver“ application likely contains a script called ““ that itself references a file called ““, which would likely execute a script called “sudobash“.

The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the ““ file. This can lead to an RCE.


Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2splunk_archiver9.2.0 to
Splunk Enterprise9.1splunk_archiver9.1.0 to
Splunk Enterprise9.0splunk_archiver9.0.0 to

Mitigations and Workarounds

Disable the “splunk_archiver“ application



Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

If the Splunk Enterprise instance disabled splunk_archiver, there is no impact and the severity is Informational.


Alex Hordijk