Maintenance mode state change of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise
Advisory ID: SVD-2025-0303
CVE ID: CVE-2025-20228
Published: 2025-03-26
Last Update: 2025-03-26
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-352
Bug ID: VULN-21512
Description
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the “admin” or “power” Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).
Solution
Upgrade Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.2 | 9.3.3 | |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.4 | 9.2.5 | |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.7 | 9.1.8 | |
| Splunk Cloud Platform | 9.2.2403 | Splunk Web | 9.2.2403.100 to 9.2.2403.107 | 9.2.2403.108 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.204 | 9.1.2312.204 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
None
Severity
Splunk rates this vulnerability as a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
Acknowledgments
Anton (therceman)