Maintenance mode state change of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise

Advisory ID: SVD-2025-0303

CVE ID: CVE-2025-20228

Published: 2025-03-26

Last Update: 2025-03-26

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-352

Bug ID: VULN-21512

Description

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the “admin” or “power” Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).

Solution

Upgrade Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.39.3.0 to 9.3.29.3.3
Splunk Enterprise9.29.2.0 to 9.2.49.2.5
Splunk Enterprise9.19.1.0 to 9.1.79.1.8
Splunk Cloud Platform9.2.2403Splunk Web9.2.2403.100 to 9.2.2403.1079.2.2403.108
Splunk Cloud Platform9.1.2312Splunk WebBelow 9.1.2312.2049.1.2312.204

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.

Detections

None

Severity

Splunk rates this vulnerability as a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Acknowledgments

Anton (therceman)