Denial of Service (DoS) on the datamodel/web REST endpoint

Advisory ID: SVD-2024-0710

CVE ID: CVE-2024-36990

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-835

Bug ID: VULN-15235


In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the “admin” or “power” Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.

The DoS could result from a condition where a data model definition contains a cyclic dependency. That dependency could lead to an infinite loop, which leads to a stack overflow and the subsequent crash of the Splunk daemon.


Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2REST API9.2.0 to
Splunk Enterprise9.1REST API9.1.0 to
Splunk Enterprise9.0REST API9.0.0 to
Splunk Cloud Platform9.1.2312REST API9.1.2312.200 to 9.1.2312.2019.1.2312.202
Splunk Cloud Platform9.1.2312REST API9.1.2312.100 to 9.1.2312.1089.1.2312.109
Splunk Cloud Platform9.1.2308REST APIBelow 9.1.2308.2089.1.2308.209

Mitigations and Workarounds




Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.


Anton (therceman)