Information Disclosure due to Username Collision with a Role that has the same Name as the User
Advisory ID: SVD-2024-1203
CVE ID: CVE-2024-53245
Published: 2024-12-10
Last Update: 2024-12-10
CVSSv3.1 Score: 3.1, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Bug ID: VULN-13012
Description
In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles, that has a username with the same name as a role with read access to a dashboard, could see the dashboard name and the dashboard XML by cloning the dashboard.
Solution
Upgrade Splunk Enterprise to versions 9.3.0, 9.2.4, 9.1.7, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Dashboards | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | Splunk Dashboards | 9.2.0 to 9.2.3 | 9.2.4 |
| Splunk Enterprise | 9.1 | Splunk Dashboards | 9.1.0 to 9.1.6 | 9.1.7 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Dashboards | Below 9.1.2312.206 | 9.1.2312.206 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability as a 3.1, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.