Improper Access Control Lets Low-Privilege Users Suppress Read-Only Alerts in Splunk Enterprise
Advisory ID: SVD-2025-0708
CVE ID: CVE-2025-20300
Published: 2025-07-07
Last Update: 2025-07-07
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-863
Bug ID: VULN-25109
Description
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the “admin” or “power” Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See Define alert suppression groups to throttle sets of similar alerts.
Solution
Upgrade Splunk Enterprise to versions 9.4.2, 9.3.5, 9.2.6, 9.1.9, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.1 | 9.4.2 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.5 | 9.2.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.8 | 9.1.9 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.102 | 9.3.2411.103 |
| Splunk Cloud Platform | 9.3.2408 | Splunk Web | Below 9.3.2408.111 | 9.3.2408.112 |
| Splunk Cloud Platform | 9.2.2406 | Splunk Web | Below 9.2.2406.118 | 9.2.2406.119 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
None
Severity
Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
Acknowledgments
Anton (therceman)