Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows

Advisory ID: SVD-2024-0711

CVE ID: CVE-2024-36991

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 7.5, High


Bug ID: VULN-15637


In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows.

The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.

This vulnerability should only affect Splunk Enterprise on Windows.


Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to
Splunk Enterprise9.1Splunk Web9.1.0 to
Splunk Enterprise9.0Splunk Web9.0.0 to

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.



Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.


Danylo Dmytriiev (DDV_UA)