Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway
Advisory ID: SVD-2024-1201
CVE ID: CVE-2024-53243
Published: 2024-12-10
Last Update: 2024-12-10
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Bug ID: VULN-13826
Description
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could see alert search query responses using Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints due to improper access control.
Solution
Upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, 9.1.7, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Secure Gateway | 9.3.0 to 9.3.1 | 9.3.2 |
| Splunk Enterprise | 9.2 | Splunk Secure Gateway | 9.2.0 to 9.2.3 | 9.2.4 |
| Splunk Enterprise | 9.1 | Splunk Secure Gateway | 9.1.0 to 9.1.6 | 9.1.7 |
| Splunk Secure Gateway | 3.8 | 3.8.0 to 3.8.4 | 3.8.5 | |
| Splunk Secure Gateway | 3.7 | Below 3.7.18 | 3.7.18 | |
| Splunk Secure Gateway | 3.4 | Below 3.4.262 | 3.4.262 |
Mitigations and Workarounds
Disable the Splunk Secure Gateway App. See Manage app and add-on objects.
Note: Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app.
Detections
None
Severity
Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
If you remove or disable the Splunk Secure Gateway app, there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)