Missing Access Control of Saved Searches in the Splunk Archiver app
Advisory ID: SVD-2025-0706
CVE ID: CVE-2025-20323
Published: 2025-07-07
Last Update: 2025-07-07
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-284
Bug ID: VULN-20046
Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the “admin” or “power” Splunk roles could turn off the scheduled search Bucket Copy Trigger within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.
Solution
Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.4 | Splunk Archiver | 9.4.0 to 9.4.2 | 9.4.3 |
| Splunk Enterprise | 9.3 | Splunk Archiver | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | Splunk Archiver | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | Splunk Archiver | 9.1.0 to 9.1.9 | 9.1.10 |
Mitigations and Workarounds
Disable the Splunk Archiver app. See Manage app and add-on objects.
Detections
None
Severity
Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
If you remove or disable the Splunk Archiver app, there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)