Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024
Advisory ID: SVD-2024-1102
CVE ID: Multiple
Published: 2024-11-26
Last Update: 2024-11-26
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Machine Learning Toolkit (MLTK) version 5.5.0 including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| dompurify | Upgraded to 2.5.4 | CVE-2024-45801 | High |
| postcss | Upgraded to 8.4.31 | CVE-2024-44270 | Medium |
| highcharts | Upgraded to 9.0.0 | CVE-2024-29489 | Medium |
Solution
Upgrade Splunk Machine Learning Toolkit (MLTK) to version 5.5.0 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.2 requires updating MLTK to 5.5.0 or higher. See Upgrade the Splunk Machine Learning Toolkit for help upgrading and Install the Splunk Machine Learning Toolkit for more information on the version compatibility.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Machine Learning Toolkit (MLTK) | 5.5 | Below 5.5.0 | 5.5.0 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.