Blind Server Side Request Forgery (SSRF) through Distributed Search Peers in Splunk Enterprise
Advisory ID: SVD-2025-1207
CVE ID: CVE-2025-20388
Published: 2025-12-03
Last Update: 2025-12-03
CVSSv3.1 Score: 2.7, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-918
Bug ID: VULN-25727
Description
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability change_authentication could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment.
See Define roles on the Splunk platform with capabilities.
Solution
Upgrade Splunk Enterprise to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.0 | Splunk Web | Below 10.0.1 | 10.0.1 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.5 | 9.4.6 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.7 | 9.3.8 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.9 | 9.2.10 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.4 | 10.1.2507.4 |
| Splunk Cloud Platform | 10.0.2503 | Splunk Web | Below 10.0.2503.6 | 10.0.2503.6 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.116 | 9.3.2411.116 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 2.7, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N.
Acknowledgments
Mr Hack (try_to_hack) Santiago Lopez