Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF)
Advisory ID: SVD-2024-1007
CVE ID: CVE-2024-45737
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-352
Bug ID: VULN-15375
Description
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the “admin” or “power” Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).
Solution
Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 | 9.3.1 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.5 | 9.1.6 |
| Splunk Cloud Platform | 9.2.2403 | Splunk Web | 9.2.2403.102 to 9.2.2403.107 | 9.2.2403.108 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.204 | 9.1.2312.204 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
Severity
Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)