Information Disclosure of user names
Advisory ID: SVD-2024-0716
CVE ID: CVE-2024-36996
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 5.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-204
Bug ID: VULN-3072
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks.
This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | SAML | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | SAML | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | SAML | 9.0.0 to 9.0.9 | 9.0.10 |
| Splunk Cloud Platform | 9.1.2312 | SAML | Below 9.1.2312.109 | 9.1.2312.109 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 5.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.