Missing Access Control of Saved Searches in the Splunk Archiver app

Advisory ID: SVD-2025-0706

CVE ID: CVE-2025-20323

Published: 2025-07-07

Last Update: 2025-07-07

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-284

Bug ID: VULN-20046

Description

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the “admin” or “power” Splunk roles could turn off the scheduled search Bucket Copy Trigger within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.

Solution

Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise9.4Splunk Archiver9.4.0 to 9.4.29.4.3
Splunk Enterprise9.3Splunk Archiver9.3.0 to 9.3.49.3.5
Splunk Enterprise9.2Splunk Archiver9.2.0 to 9.2.69.2.7
Splunk Enterprise9.1Splunk Archiver9.1.0 to 9.1.99.1.10

Mitigations and Workarounds

Disable the Splunk Archiver app. See Manage app and add-on objects.

Detections

None

Severity

Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
If you remove or disable the Splunk Archiver app, there should be no impact and the severity would be informational.

Acknowledgments

Anton (therceman)