Improper Access Control for low-privileged user in Splunk Secure Gateway App
Advisory ID: SVD-2024-1005
CVE ID: CVE-2024-45735
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-284
Bug ID: VULN-12960
Description
In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the “admin” or “power” Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App.
Solution
Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6 or higher.
Splunk is actively monitoring Splunk Cloud Platform instances and upgrading Splunk Secure Gateway.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Secure Gateway | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | Splunk Secure Gateway | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | Splunk Secure Gateway | 9.1.0 to 9.1.5 | 9.1.6 |
| Splunk Secure Gateway | 3.7 | Not affected | 3.7.0 | |
| Splunk Secure Gateway | 3.6 | 3.6.0 to 3.6.16 | 3.6.17 | |
| Splunk Secure Gateway | 3.4 | Below 3.4.259 | 3.4.259 |
Mitigations and Workarounds
Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app. See Manage app and add-on objects.
Detections
Severity
Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
Acknowledgments
Gabriel Nitu, Splunk