Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
Advisory ID: SVD-2024-1006
CVE ID: CVE-2024-45736
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Bug ID: VULN-16989
Description
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a search query with an improperly-formatted “INGEST_EVAL” parameter as part of a Field Transformation which could crash the Splunk daemon (splunkd).
Solution
Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | splunkd | 9.3.0 | 9.3.1 |
| Splunk Enterprise | 9.2 | splunkd | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | splunkd | 9.1.0 to 9.1.5 | 9.1.6 |
| Splunk Cloud Platform | 9.2.2403 | splunkd | 9.2.2403.100 to 9.2.2403.106 | 9.2.2403.107 |
| Splunk Cloud Platform | 9.1.2312 | splunkd | 9.1.2312.200 to 9.1.2312.203 | 9.1.2312.204 |
| Splunk Cloud Platform | 9.1.2312 | splunkd | Below 9.1.2312.111 | 9.1.2312.111 |
Mitigations and Workarounds
None
Detections
Severity
Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Acknowledgments
Danylo Dmytriiev (DDV_UA)