This page lists announcements of Splunk Security Advisories. Security Advisories are collections of disclosures and security fixes for supported versions of Splunk products. See the Splunk Support Policy and Product Security at Splunk for more information.

Splunk encourages customers to subscribe to the Mailing List and add its Really Simple Syndication (RSS) feed to their RSS reader to receive a notification when Splunk publishes the advisories. Customers who require additional information that a Security Advisory does not address can visit the Support Portal and submit a New Case.

SVDDateLast ModifiedTitleSeverityCVECVSS VectorCVSS ScoreCWEBugAffected ProductsFixed VersionsAffected VersionsAll Affected VersionsAffected ComponentsDescriptionSolutionMitigationsSeverity SummaryOSSCredit
SVD-2024-12072024-12-102024-12-10 Third-Party Package Updates in Splunk Universal Forwarder - December 2024InformationalNANANANA Splunk Universal Forwarder 9.3
Splunk Universal Forwarder 9.2
Splunk Universal Forwarder 9.1
9.3.2
9.2.4
9.1.7
9.3.0 to 9.3.1
9.2.0 to 9.2.3
9.1.0 to 9.1.6
9.3.2
9.2.4
9.1.7



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder versions 9.1.7, 9.2.4, and 9.3.2, and higher, including the following:Upgrade Splunk Universal Forwarder to versions 9.1.7, 9.2.4, 9.3.2, or higher.NoneThe Splunk Universal Forwarder is not affected by CVE-2024-5535. The implementation does not call `SSL_select_next_proto` and does not use the functionality. Hence, the severity is informational. CVE-2024-5535 - OpenSSL - Upgraded to 1.0.2zk - Informational -
SVD-2024-12062024-12-102024-12-10 Third-Party Package Updates in Splunk Enterprise - December 2024HighNANANANA Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.2
9.2.4
9.1.7
9.3.0 to 9.3.1
9.2.0 to 9.2.3
9.1.0 to 9.1.6
9.3.2
9.2.4
9.1.7



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.1.7, 9.2.4, and 9.3.2, and higher, including the following:Upgrade Splunk Enterprise to versions 9.1.7, 9.2.4, 9.3.2, or higher.NoneFor the CVEs in this list, Splunk adopted the severity rating that the vendor published. Multiple - Apache Common Compress - Upgraded to 1.26.2 - Medium - Upgraded $SPLUNK_HOME/bin/jars/thirdparty/common/commons-compress-1.21.jar from 1.21 to 1.26.2 to remedy CVE-2024-26308 and CVE-2024-25710
CVE-2024-36114 - io.airlift:aircompressor - Removed - High - Splunk Enterprise removed the $SPLUNK_HOME/bin/jars/thirdparty/hive_4_0/hive-exec-4.0.0.jar/META-INF/maven/io.airlift library from hive-exec
CVE-2024-36129 - go-grpc-compression - Upgraded to 1.2.3 - High - Upgraded $SPLUNK_HOME/bin/compsup/github.com/mostynb/go-grpc-compression from 1.2.0 to 1.2.3
CVE-2024-36129 - /go.opentelemetry.io/collector/config/confighttp - Upgraded to 0.106.1 - High - Upgraded $SPLUNK_HOME/bin/compsup/go.opentelemetry.io/collector/config/confighttp from 0.83.0 to 0.106.1.
CVE-2024-36129 - /go.opentelemetry.io/collector/config/configgrpc - Upgraded to 0.106.1 - High - Upgraded $SPLUNK_HOME/bin/compsup/go.opentelemetry.io/collector/config/configgrpc from 0.83.0 to 0.106.1.
CVE-2024-5535 - OpenSSL - Upgraded to 1.0.2zk - Informational - CVE-2024-5535 does not affect Splunk Enterprise. The OpenSSL implementation does not call `SSL_select_next_proto` and does not use the affected functionality. However, out of an abundance of caution, Splunk upgraded it.
CVE-2021-44531 - node.js - Applied patch to 8.17.0 - NA - To remedy CVE-2021-44531, Splunk manually applied the patch to node.js version 8.17.0. The patch disabled URI SAN type during hostname verfication. Now, it will ignore the entries of URI type and only considers DNS names and IP Address for verification.
CVE-2024-45296 - path-to-regexp - Upgrade to 1.9.0 - High - Upgraded path-to-regexp in Splunk Secure Gateway from 1.8.0 to 1.9.0 and downgraded the library from 6.2.2 to 1.9.0 in SplunkWeb.
CVE-2024-4067 - micromatch - Upgraded to 4.0.8 - Medium - Upgraded micromatch in Splunk Monitoring Console from 3.1.10 to 4.0.8.
CVE-2024-4067 - micromatch - Upgraded to 4.0.8 - Medium - Upgraded micromatch in Splunk Secure Gateway from 4.0.5 to 4.0.8
Multiple - elliptic - Upgraded to 6.5.7 - High - Upgraded elliptic in Splunk Monitoring Console from 6.5.4 to 6.5.7 to remedy CVE-2024-42459, CVE-2024-42460 and CVE-2024-42461.
CVE-2024-6531 - bootstrap - Removed - Medium - Splunk Monitoring Console removed the bootstrap dependency.
SVD-2024-12052024-12-102024-12-10 Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway appHigh CVE-2024-53247CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-502VULN-16622 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Secure Gateway 3.7
Splunk Secure Gateway 3.4
9.3.2
9.2.4
9.1.7
3.7.13
3.4.261
9.3.1
9.2.3
9.1.0 to 9.1.6
Below 3.7.13
Below 3.4.261
9.3.2
9.2.4
9.1.7
3.7.13
3.4.261
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Secure Gateway


In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.2.461 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could perform a Remote Code Execution (RCE).<br><br>The RCE is possible because of an unsafe deserialization of data due to an insecure usage of the jsonpickle Python library.Upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, and 9.1.7, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Disable the Splunk Secure Gateway App. See [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects).<br><br>Note: Splunk Mobile, Spacebridge, and Mission Control rely on functionality in the Splunk Secure Gateway app. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app.Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If you remove or disable the Splunk Secure Gateway app, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-12042024-12-102024-12-10 Sensitive Information Disclosure through SPL commandsMedium CVE-2024-53246CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N5.3CWE-319VULN-20321 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.3.2408
Splunk Cloud Platform 9.2.2406
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
9.3.2
9.2.4
9.1.7
9.3.2408.101
9.2.2406.106
9.2.2403.111
9.1.2312.206
9.3.0 to 9.3.1
9.2.0 to 9.2.3
9.1.0 to 9.1.6
Below 9.3.2408.101
Below 9.2.2406.106
Below 9.2.2403.111
Below 9.1.2312.206
9.3.2
9.2.4
9.1.7
9.3.2408.101
9.2.2406.106
9.2.2403.111
9.1.2312.206
Search
Search
Search
Search
Search
Search
Search
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.3.2408.101, 9.2.2406.106, 9.2.2403.111, and 9.1.2312.206, an SPL command can potentially disclose sensitive information. The vulnerability requires the exploitation of another vulnerability, such as a Risky Commands Bypass, for successful exploitation.<br><br><br>The potential issue does not disclose indexed data or sensitive information concerning the default Splunk Enterprise instance.To fix the problem, perform the following procedure on Splunk Enterprise:<br>1. Upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, 9.1.7, or higher.<br>2. In the `limits.conf` configuration file, under the `[storage_passwords_masking]` stanza, add a line `view_cleartext_spl_rest = false.`<br>3. Restart the Splunk Enterprise instance.<br><br>For more information, see [How to edit a configuration file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile) and [the limits.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf) for more information.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.NoneSplunk rates this vulnerability a 5.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The potential rating might vary due based on the information that appears in the secrets store.<br><br>If you do not use the functionality to store sensitive information, there should be no impact and the severity would be informational.
SVD-2024-12032024-12-102024-12-10 Information Disclosure due to Username Collision with a Role that has the same Name as the UserLow CVE-2024-53245CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N3.1CWE-200VULN-13012 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.1.2312
9.3.0
9.2.4
9.1.7
9.1.2312.206
Not affected
9.2.0 to 9.2.3
9.1.0 to 9.1.6
Below 9.1.2312.206
9.3.0
9.2.4
9.1.7
9.1.2312.206
Splunk Dashboards
Splunk Dashboards
Splunk Dashboards
Splunk Dashboards
In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles, that has a username with the same name as a role with read access to a dashboard, could see the dashboard name and the dashboard XML by cloning the dashboard.Upgrade Splunk Enterprise to versions 9.3.0, 9.2.4, 9.1.7, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as a 3.1, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
SVD-2024-12022024-12-102024-12-10 Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameterMedium CVE-2024-53244CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N5.7CWE-200VULN-17381 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.2.2406
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
9.3.2
9.2.4
9.1.7
9.2.2406.107
9.2.2403.109
9.1.2312.206
9.3.0 to 9.3.1
9.2.0 to 9.2.3
9.1.0 to 9.1.6
9.2.2406.100 to 9.2.2406.106
9.2.2403.100 to 9.2.2403.108
Below 9.1.2312.206
9.3.2
9.2.4
9.1.7
9.2.2406.107
9.2.2403.109
9.1.2312.206
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.2.2406.107, 9.2.2403.109, and 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on “/en-US/app/search/report“ endpoint through “s“ parameter.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.Upgrade Splunk Enterprise to versions 9.1.7, 9.2.4, 9.3.2, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
SVD-2024-12012024-12-102024-12-10 Information Disclosure in Mobile Alert Responses in Splunk Secure GatewayMedium CVE-2024-53243CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-200VULN-13826 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Secure Gateway 3.8
Splunk Secure Gateway 3.7
Splunk Secure Gateway 3.4
9.3.2
9.2.4
9.1.7
3.8.5
3.7.18
3.4.262
9.3.0 to 9.3.1
9.2.0 to 9.2.3
9.1.0 to 9.1.6
3.8.0 to 3.8.4
Below 3.7.18
Below 3.4.262
9.3.2
9.2.4
9.1.7
3.8.5
3.7.18
3.4.262
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Secure Gateway



In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could see alert search query responses using Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints due to improper access control.Upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, 9.1.7, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Disable the Splunk Secure Gateway App. See [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects).<br><br>Note: Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app.Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N<br><br>If you remove or disable the Splunk Secure Gateway app, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-11022024-11-262024-11-26 Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024High Splunk Machine Learning Toolkit (MLTK) 5.5
5.5.0
Below 5.5.0
5.5.0

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Machine Learning Toolkit (MLTK) version 5.5.0 including the following:Upgrade Splunk Machine Learning Toolkit (MLTK) to version 5.5.0 or higher. <br><br>For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.2 requires updating MLTK to 5.5.0 or higher. See [Upgrade the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade) for help upgrading and [Install the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure) for more information on the version compatibility.NoneFor the CVEs in this list, Splunk adopted the vendor's severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. CVE-2024-45801 - dompurify - Upgraded to 2.5.4 - High -
CVE-2024-44270 - postcss - Upgraded to 8.4.31 - Medium -
CVE-2024-29489 - highcharts - Upgraded to 9.0.0 - Medium -
SVD-2024-11012024-11-262024-11-26 Third-Party Package Updates in Python for Scientific Computing - November 2024Low Python for Scientific Computing (for Linux 64-bit) 4.2
Python for Scientific Computing (for Mac Apple Silicon) 4.2
Python for Scientific Computing (for Mac Intel) 4.2
Python for Scientific Computing (for Windows 64-bit) 4.2
Python for Scientific Computing (for Linux 64-bit) 3.2
Python for Scientific Computing (for Mac Apple Silicon) 3.2
Python for Scientific Computing (for Mac Intel) 3.2
Python for Scientific Computing (for Windows 64-bit) 3.2
4.2.2
4.2.2
4.2.2
4.2.2
3.2.2
3.2.2
3.2.2
3.2.2
4.2.1
4.2.1
4.2.1
4.2.1
3.2.1
3.2.1
3.2.1
3.2.1
4.2.2
4.2.2
4.2.2
4.2.2
3.2.2
3.2.2
3.2.2
3.2.2








Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 3.2.2, 4.2.2 and higher. including the following:Upgrade Python for Scientific Computing (PSC) to version 3.2.2, 4.2.2 or higher. <br><br>For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.2 requires updating MLTK to 5.5.0 or higher. See [Upgrade the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade) for help upgrading and [Install the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure) for more information on the version compatibility.<br><br>For Splunk IT Service Intelligence (ITSI), upgrading PSC to 4.2.2 may cause errors with ITSI Predictive Analytics. After upgrading, ITSI Predictive Analytics models may require retraining. See [Retrain a predictive model in ITSI](https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel) for more information.NoneFor the CVEs in this list, Splunk adopted the vendor's severity rating. CVE-2024-5535 - OpenSSL - Upgraded to 3.3.2 - Low -
SVD-2024-10152024-10-302024-10-30 Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024High Splunk Add-on for Cisco Meraki 2.2
2.2.0
Below 2.2.0
2.2.0

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Cisco Meraki version 2.2.0 and higher, including the following:Upgrade Splunk Add-on for Cisco Meraki versions 2.2.0 or higher.NoneFor the CVEs in this list, Splunk adopted one of the following ratings:<br>- Where applicable, the severity rating that the vendor published, or<br>- The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2024-3651 - idna - Upgraded to 3.8 - High -
CVE-2024-37891 - urllib3 - Upgraded to 1.26.20 - Medium -
CVE-2024-34062 - tqdm - Removed - Medium -
CVE-2024-39689 - certifi - Upgraded to 2024.8.30 - High -
SVD-2024-10142024-10-302024-10-30 Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024High Splunk Add-on for Google Cloud Platform 4.7
4.7.0
Below 4.7.0
4.7.0

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Google Cloud Platform versions 4.7.0 and higher, including the following:Upgrade the Splunk Add-on for Google Cloud Platform to version 4.7.0 or higher.NoneFor the CVEs in this list, Splunk adopted one of the following ratings:<br>- Where applicable, the severity rating that the vendor published, or<br>- The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High -
SVD-2024-10132024-10-172024-10-17 Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024High Splunk Add-on for Office 365 4.5.2
4.5.2
Below 4.5.2
4.5.2

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher, including the following:Upgrade Splunk Add-on for Office 365 versions 4.5.2 or higher.NoneFor the CVEs in this list, Splunk adopted one of the following ratings:<br> - Where applicable, the severity rating that the vendor published, or<br> - The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2024-3651 - idna - Upgraded to 3.7 - High -
CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High -
CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium -
SVD-2024-10122024-10-142024-10-14 Third-Party Package Updates in Splunk Enterprise - October 2024High---- Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.1
9.2.3
9.1.6
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.1
9.2.3
9.1.6



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.3.1, 9.2.3, 9.1.6, and higher, including the following:Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.NoneFor the CVEs in this list, Splunk adopted one of the following ratings:<br>&nbsp;&nbsp;&nbsp;- Where applicable, the severity rating that the vendor published, or<br>&nbsp;&nbsp;&nbsp;- The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2023-45803 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2023-43804 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2024-35195 - requests - Upgraded to 1.32.3 - Medium - Upgrade requests in $SPLUNK_HOME/lib/python3.9/site-packages/ in 9.3.1
CVE-2024-35195 - requests - Applied patch to 2.31.0 - Medium - Applied the patch for CVE-2024-35195 to requests 2.31.0 in $SPLUNK_HOME/lib/python3.7/site-packages/
CVE-2022-42969 - py - Removed - Medium - Splunk removed pypi:py from the splunk-rolling-upgrade app in 9.3.0, 9.2.3, and 9.1.6
Multiple - OpenLDAP - Upgraded to 2.4.59 - Multiple - Upgraded OpenLDAP in splunkd to remedy CVE-2020-12243, CVE-2020-15719, CVE-2020-25692, CVE-2020-36222, CVE-2020-36223, CVE-2020-36221, CVE-2020-36224, CVE-2020-36225, CVE-2020-36229, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36230, CVE-2021-27212, CVE-2017-14159, CVE-2017-17740, CVE-2019-13057, and CVE-2019-13565.
CVE-2022-29155 - OpenLDAP - Applied patch to 2.4.59 - Informational -
CVE-2023-2953 - OpenLDAP - Applied patch to 2.4.59 - High -
CVE-2015-3276 - OpenLDAP - Applied patch to 2.4.59 - High -
CVE-2024-28180 - go-jose.v2 - Upgrade to 2.6.3 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe
Multiple - golang.org/x/net - Upgraded to 0.23.0 - Multiple - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe to remedy CVE-2023-45288, CVE-2023-44487, and CVE-2023-39325
CVE-2024-24786 - google.golang.org/protobuf - Upgraded to 1.34.1 - Informational - Upgraded in $SPLUNK_HOME/bin/compsup, $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe
CVE-2023-44487 - google.golang.org/grpc - Upgrade to 1.62.1 - High - Upgraded in $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe
CVE-2023-48795 - golang.org/x/crypto - Upgrade to 0.23.0 - Medium - Upgraded in $SPLUNK_HOME/bin/mongodump and $SPLUNK_HOME/bin/mongorestore
CVE-2023-48795 - golang.org/x/crypto - Upgrade to 0.21.0 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions.
CVE-2023-47108 - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc - 0.49.0 - High - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions.
CVE-2023-45142 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - 0.49.0 - High - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions.
CVE-2024-24557 - github.com/docker/docker - Upgraded to 26.0.0 - Medium - Upgraded in $SPLUNK_HOME/bin/compsup. The compsup binary is not present in 9.1 versions.
Multiple - golang - Upgraded golang in assistsup to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/etc/apps/splunk_assist/bin/linux_x86_64/assistsup and $SPLUNK_HOME/etc/apps/splunk_assist/bin/windows_x86_64/assistsup.exe from 1.22.1 to 1.22.4 to remedy CVE-2024-24790 and CVE-2023-45288.
Multiple - golang - Upgraded golang in compsup to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/bin/compsup from 1.22.1 to 1.22.4 to remedy CVE-2024-24790 and CVE-2023-45288
Multiple - golang - Upgraded golang mongodump and mongorestore to 1.22.4 - Multiple - Upgraded $SPLUNK_HOME/bin/mongodump and $SPLUNK_HOME/bin/mongorestore from 1.20.10 to 1.22.4 to remedy CVE-2023-45288, CVE-2023-39318, CVE-2023-45285, CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-39319, and CVE-2024-24790
Multiple - golang - Removed spl2-orchestrator binary - Multiple - Splunk Enterprise 9.2.3 removed the $SPLUNK_HOME/bin/spl2-orchestrator binary to remedy CVE-2023-26125, CVE-2023-29401, CVE-2023-39325, CVE-2023-3978, CVE-2023-44487, CVE-2023-45288, CVE-2023-44487, CVE-2023-48795, CVE-2023-50658, CVE-2024-24786, CVE-2024-28180, CVE-2024-24790, CVE-2023-45288, CVE-2023-45285, CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-39323, CVE-2023-39322, CVE-2023-39321, CVE-2023-39320, CVE-2023-39319, and CVE-2023-39318. The spl2-orchestrator binary was present in versions 9.2.0 through 9.2.2.
SVD-2024-10112024-10-142024-10-14 Persistent Cross-Site Scripting (XSS) via props.conf on Splunk EnterpriseMedium CVE-2024-45741CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79VULN-17034 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
9.3.0
9.2.3
9.1.6
9.2.2403.108
9.1.2312.205
Not affected
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.2.2403.100 to 9.2.2403.107
Below 9.1.2312.205
9.3.0
9.2.3
9.1.6
9.2.2403.108
9.1.2312.205
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the "api.uri" parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user.Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-10102024-10-142024-10-14 Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk EnterpriseMedium CVE-2024-45740CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79VULN-16899 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.2.2403
9.3.0
9.2.3
9.1.6
9.2.2403.100
Not affected
9.2.0 to 9.2.2
9.1.0 to 9.1.5
Below 9.2.2403
9.3.0
9.2.3
9.1.6
9.2.2403.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user.Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-10092024-10-142024-10-14 Sensitive information disclosure in AdminManager logging channelMedium CVE-2024-45739CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N4.9CWE-200VULN-15407 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.1
9.2.3
9.1.6
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.1
9.2.3
9.1.6
splunkd
splunkd
splunkd
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes plaintext passwords for local native authentication Splunk users. This exposure could happen when you configure the Splunk Enterprise `AdminManager` log channel at the DEBUG logging level.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.There are multiple solutions depending on how you have configured the Splunk Enterprise instance `AdminManager` log channel.<br><br>First, determine whether or not debug logging is on for the `AdminManager` log channel. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions. To determine the logging level for this log channel on the instance:<br>&nbsp;&nbsp;&nbsp;1. In a web browser, visit the Server Logging Settings page in Splunk Web at `/en-US/manager/system/server/logger`.<br>&nbsp;&nbsp;&nbsp;2. Review the Logging Level column on the page that loads. If the `AdminManager` row in this column shows DEBUG as the logging level, then the Splunk Enterprise `AdminManager` log channel is in debug mode. Otherwise, it is not in debug mode.<br>See [Enable debug logging](https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging) for more information.<br><br>If the previous steps determine that debug logging is enabled in that log channel, then remedy the problem by performing the following tasks:<br>&nbsp;&nbsp;&nbsp;1. Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br>&nbsp;&nbsp;&nbsp;2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br>&nbsp;&nbsp;&nbsp;3. Delete all the Splunk Enterprise log file events for the `AdminManager` component from the `_internal` index by running the following search command:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`index=_internal component=AdminManager | delete`If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:<br>&nbsp;&nbsp;&nbsp;1. Configure the `AdminManager` log channel to a logging level that is less verbose than DEBUG.<br>&nbsp;&nbsp;&nbsp;2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br>&nbsp;&nbsp;&nbsp;3. Delete all the Splunk Enterprise log file events for `AdminManager` component from the `_internal` index by running the following search command:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`index=_internal component=AdminManager | delete`Splunk rates this vulnerability as a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. Eric McGinnis, Splunk
Rod Soto, Splunk
SVD-2024-10082024-10-142024-10-14 Sensitive information disclosure in REST_Calls logging channelMedium CVE-2024-45738CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N4.9CWE-200VULN-15407 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.1
9.2.3
9.1.6
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.1
9.2.3
9.1.6
splunkd
splunkd
splunkd
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the `_internal` index. This exposure could happen if you configure the Splunk Enterprise `REST_Calls` log channel at the DEBUG logging level.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.There are multiple solutions depending on how you have configured the Splunk Enterprise instance `REST_Calls` log channel.<br><br>First, determine whether or not debug logging is on for the `REST_Calls` log channel. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.To determine the log channel logging mode on the instance:<br>&nbsp;&nbsp;&nbsp;1. In a web browser, visit the Server Logging Settings page in Splunk Web at `/en-US/manager/system/server/logger`.<br>&nbsp;&nbsp;&nbsp;2. Review the Logging Level column on the page that loads. If the `REST_Calls` row in this column shows DEBUG as the logging level, then the Splunk Enterprise REST_Call log channel is in debug mode. Otherwise, it is not in debug mode.<br>See [Enable debug logging](https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging) for more information.<br><br>If the previous steps determine that debug logging is enabled in that log channel, then remedy the problem by performing the following tasks:<br>&nbsp;&nbsp;&nbsp;1. Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br>&nbsp;&nbsp;&nbsp;2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br>&nbsp;&nbsp;&nbsp;3. Delete all the Splunk Enterprise log file events for the `REST_Calls` component from the `_internal` index by running the following search command:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`index=_internal component=REST_Calls | delete`If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:<br>&nbsp;&nbsp;&nbsp;1. Configure the `REST_Calls` log channel to a logging level that is less verbose than DEBUG.<br>&nbsp;&nbsp;&nbsp;2. Delete the following log file on the Splunk Enterprise instance: `$SPLUNK_HOME/var/log/splunk/splunkd.log`<br>&nbsp;&nbsp;&nbsp;3. Delete all of the Splunk Enterprise log file events for the `REST_Calls` component from the `_internal` index by running the following search command:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`index=_internal component=REST_Calls | delete`Splunk rates this vulnerability as a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. Eric McGinnis, Splunk
Rod Soto, Splunk
SVD-2024-10072024-10-142024-10-14 Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF)Medium CVE-2024-45737CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L4.3CWE-352VULN-15375 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
9.3.1
9.2.3
9.1.6
9.2.2403.108
9.1.2312.204
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.2.2403.102 to 9.2.2403.107
Below 9.1.2312.204
9.3.1
9.2.3
9.1.6
9.2.2403.108
9.1.2312.204
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. <br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-10062024-10-142024-10-14 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk DaemonMedium CVE-2024-45736CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-400VULN-16989 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2312
9.3.1
9.2.3
9.1.6
9.2.2403.107
9.1.2312.204
9.1.2312.111
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.2.2403.100 to 9.2.2403.106
9.1.2312.200 to 9.1.2312.203
Below 9.1.2312.111
9.3.1
9.2.3
9.1.6
9.2.2403.107
9.1.2312.204
9.1.2312.111
splunkd
splunkd
splunkd
splunkd
splunkd
splunkd
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a search query with an improperly-formatted "INGEST_EVAL" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd).Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.NoneSplunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2024-10052024-10-142024-10-14 Improper Access Control for low-privileged user in Splunk Secure Gateway AppMedium CVE-2024-45735CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-284VULN-12960 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Secure Gateway 3.7
Splunk Secure Gateway 3.6
Splunk Secure Gateway 3.4
9.3.0
9.2.3
9.1.6
3.7.0
3.6.17
3.4.259
Not affected
9.2.0 to 9.2.2
9.1.0 to 9.1.5
Not affected
3.6.0 to 3.6.16
Below 3.4.259
9.3.0
9.2.3
9.1.6
3.7.0
3.6.17
3.4.259
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Secure Gateway



In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the "admin" or "power" Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App.Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6 or higher.<br><br>Splunk is actively monitoring Splunk Cloud Platform instances and upgrading Splunk Secure Gateway.Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app. See [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects).Splunk rates this vulnerability as a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Gabriel Nitu, Splunk
SVD-2024-10042024-10-142024-10-14 Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic DashboardMedium CVE-2024-45734CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-284VULN-16371 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.0
9.2.3
9.1.6
Not affected
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.0
9.2.3
9.1.6
pdfgen
pdfgen
pdfgen
In Splunk Enterprise versions below 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local image path in the img tag in the source extensible markup language (XML) code for the Splunk classic dashboard.Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6 or higher.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the[ web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. <br>If the machine where Splunk Enterprise is installed does not contain directories with images in them, then there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, then there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-10032024-10-142024-10-14 Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on WindowsHigh CVE-2024-45733CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-502VULN-16990 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.0
9.2.3
9.1.6
Not affected
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.0
9.2.3
9.1.6
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to insecure session storage configuration.Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, and 9.1.6, or higher.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. <br><br>If the Splunk Enterprise instance does not run on Windows, there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be Informational. Alex Hordijk
SVD-2024-10022024-10-142024-10-14 Low-privileged user could run search as nobody in SplunkDeploymentServerConfig appHigh CVE-2024-45732CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N7.1CWE-862VULN-14891 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Cloud Platform 9.2.2403
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.3.1
9.2.3
9.2.2403.103
9.1.2312.110, 9.1.2312.200
9.1.2308.208
9.3.0
9.2.0 to 9.2.2
9.2.2403.102 to 9.2.2403.102
9.1.2312.100 to 9.1.2312.109
Below 9.1.2308.207
9.3.1
9.2.3
9.2.2403.103
9.1.2312.110, 9.1.2312.200
9.1.2308.208
SplunkDeploymentServerConfig
SplunkDeploymentServerConfig
SplunkDeploymentServerConfig
SplunkDeploymentServerConfig
SplunkDeploymentServerConfig
In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3 or higher. Splunk Enterprise 9.1 versions and below are not affected.<br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.You can modify the local.meta file in the `$SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/metadata `directory to restrict write access to knowledge objects within Splunk apps.<br>Use the following metadata settings in each file to restrict access:<br>&nbsp;&nbsp;&nbsp;`[]`<br>&nbsp;&nbsp;&nbsp;`access = read : [ * ], write : [ admin ]`<br><br>To apply the same restrictions to other apps by default, you may add the same configuration to the local.meta file in the `$SPLUNK_HOME/etc/apps/<app name>/metadata` directory. <br><br>The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. <br><br>If the local.meta file in the app directory has the proper metadata settings, there should be no impact and the severity would be Informational.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-10012024-10-142024-10-14 Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate diskHigh CVE-2024-45731CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H8.0CWE-23VULN-16991 Splunk Enterprise 9.3
Splunk Enterprise 9.2
Splunk Enterprise 9.1
9.3.1
9.2.3
9.1.6
9.3.0
9.2.0 to 9.2.2
9.1.0 to 9.1.5
9.3.1
9.2.3
9.1.6
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could write a file to the Windows system root directory, which has a default location in the Windows System32 folder, when Splunk Enterprise for Windows is installed on a separate drive. The user could potentially write a malicious DLL which, if loaded, could result in a remote execution of the code within that DLL.Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, and 9.1.6, or higher.See [Installation on Windows](https://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonWindows) for more information on how to install Splunk Enterprise.Splunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. <br><br>If the Splunk Enterprise instance is not installed on a separate disk, there is no impact and the severity would be informational. Alex Hordijk (hordalex)
SVD-2024-09012024-09-302024-09-30 Third-Party Package Updates in Splunk Add-on for Amazon Web Services - September 2024HighNA0.0NANA Splunk Add-on for Amazon Web Services 7.7
7.7.0
Below 7.7.0
7.7.0

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Amazon Web Services versions 7.7.0 and higher, including the following:Upgrade Splunk Add-on for Amazon Web Services to versions 7.7.0 or higher.NoneFor the CVEs in this list, Splunk adopted one of the following ratings:<br> - Where applicable, the severity rating that the vendor published, or<br> - The national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2024-3651 - idna - Upgraded to 3.7 - High -
CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2023-39326 - golang - Upgraded golang to 1.22.5 - Medium - Upgraded parquet_decoder_darwin_amd64, parquet_decoder_linux_amd64, and parquet_decoder_windows_amd64.exe in Splunk_TA_aws/bin/aws_parquet/ from 1.19.8 to 1.22.5.
CVE-2024-39689 - certifi - Upgraded to 2024.7.4 - High -
SVD-2024-08012024-08-122024-08-12 Third-Party Package Updates in Python for Scientific Computing - August 2024CriticalVULN-16988 Python for Scientific Computing (for Linux 64-bit) 4.2
Python for Scientific Computing (for Mac Apple Silicon) 4.2
Python for Scientific Computing (for Mac Intel) 4.2
Python for Scientific Computing (for Windows 64-bit) 4.2
4.2.1
4.2.1
4.2.1
4.2.1
4.2.0
4.2.0
4.2.0
4.2.0
4.2.1
4.2.1
4.2.1
4.2.1




Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1 including the following:Upgrade Python for Scientific Computing (PSC) to version 4.2.1 or higher. <br><br>For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.1 requires updating MLTK to 5.4.2 or higher. Upgrading MLTK to 5.4.2 may require retraining models. See [Upgrade the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade) for help upgrading and [Install the Splunk Machine Learning Toolkit](https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure) for more information on the version compatibility.<br><br>For Splunk IT Service Intelligence (ITSI), upgrading PSC to 4.2.1 may cause errors with ITSI Predictive Analytics. After upgrading, ITSI Predictive Analytics models may require retraining. See [Retrain a predictive model in ITSI](https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel) for more information.NoneFor the CVEs in this list, Splunk adopted the vendor's severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. CVE-2024-3651 - idna - Upgraded to 3.7 - Medium -
CVE-2020-28473 - bottle - Upgraded to 0.12.23 - Medium -
CVE-2022-31799 - bottle - Upgraded to 0.12.23 - Critical -
CVE-2022-40899 - future - Upgraded to 0.18.3 - High -
CVE-2023-25399 - scipy - Upgraded to 1.10.0 - Medium -
CVE-2024-3772 - pydantic - Upgraded to 1.10.13 - Medium -
CVE-2022-25882 - onnx - Upgraded to 1.16.0 - High -
CVE-2024-27318 - onnx - Upgraded to 1.16.0 - High -
CVE-2024-27319 - onnx - Upgraded to 1.16.0 - Medium -
CVE-2021-34141 - numpy - Upgraded to 1.23.0 - Medium -
CVE-2024-37891 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2023-45803 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2023-43804 - urllib3 - Upgraded to 1.26.19 - Medium -
CVE-2022-45907 - torch - Upgraded to 2.2.2 - Critical -
CVE-2024-31583 - torch - Upgraded to 2.2.2 - High -
CVE-2024-31580 - torch - Upgraded to 2.2.2 - High -
CVE-2024-35195 - requests - Upgraded to 2.32.3 - Medium -
CVE-2023-37920 - certifi - Upgraded to 2024.7.4 - Medium -
CVE-2023-5678 - openssl - Upgraded to 3.3.1 - Medium -
CVE-2023-7018 - transformers - Upgraded to 4.38.1 - High -
CVE-2023-6730 - transformers - Upgraded to 4.38.1 - High -
CVE-2024-3568 - transformers - Upgraded to 4.38.1 - Low -
CVE-2023-2800 - transformers - Upgraded to 4.38.1 - Medium -
CVE-2024-34062 - tqdm - Upgraded to 4.66.4 - Medium -
CVE-2024-6345 - setuptools - Upgraded to 70.0.0 - High - Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2024-6345
CVE-2022-40897 - setuptools - Upgraded to 70.0.0 - Medium - Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2022-40897
CVE-2024-5206 - scikit-learn - Upgraded to 1.5.1 - Medium -
CVE-2020-28975 - scikit-learn - Upgraded to 1.5.1 - High -
SVD-2024-07182024-07-012024-10-03 Third-Party Package Updates in Splunk Enterprise - July 2024High---- Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.2
9.1.5
9.0.10
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.2.2
9.1.5
9.0.10



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, 9.0.10 and higher, including the following:Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, and Hunk (Legacy) use the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava). If your Splunk Enterprise instance does not use those features or functionality, it is not impacted. As a potential mitigation, you may remove the packages. Note that the splunk_archiver app may replicate the vulnerable jar files and you may need to remove the replicate files from $SPLUNK_HOME/etc/apps/splunk_archiver as well.<br><br>The Splunk Secure Gateway app remedied vulnerabilities in certifi, requests, idna, and aiohttp. Splunk Mobile, Spacebridge, and Mission Control rely on functionality in $SPLUNK_HOME/etc/apps/splunk_secure_gateway. If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app.For the CVEs in this list, Splunk adopted the vendor's severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.<br><br>For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.<br><br>If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.<br><br>If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.<br><br>For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package. CVE-2023-35116 - jackson-databind - Upgraded to 1.16.1 - Medium -
CVE-2021-29425 - commons-io - Upgraded to 2.15.1 - Medium -
CVE-2023-43642 - snappy-java - Upgraded to 1.1.10.5 - High -
CVE-2023-34453 - snappy-java - Upgraded to 1.1.10.5 - Medium -
CVE-2023-34454 - snappy-java - Upgraded to 1.1.10.5 - Medium -
CVE-2023-34455 - snappy-java - Upgraded to 1.1.10.5 - High -
CVE-2023-39410 - avro-sdk - Upgraded to 1.11.3 - High -
CVE-2022-36364 - avatica-core - Removed - High - Removed avatica-core from hive-exec
CVE-2020-8908 - guava - Removed - Low - Removed guava from hive-exec
CVE-2023-2976 - guava - Removed - Medium - Removed guava from hive-exec
CVE-2018-10237 - guava - Removed - Medium - Removed guava from hive-exec
CVE-2022-3509 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec
CVE-2022-3171 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec
CVE-2022-3510 - protobuf-java - Upgraded to 3.24.4 - High - Upgrade protobuf-java in hive-exec
CVE-2020-13956 - httpclient - Upgraded to 4.15.3 - Medium - Upgrade httpclient in hive-exec
CVE-2023-37276 - aiohttp - Upgraded to 3.8.6 - Medium - Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
CVE-2023-47627 - aiohttp - Upgraded to 3.8.6 - Medium - Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
CVE-2023-43804 - urllib3 - Upgraded to 2.0.7 - Medium - Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
CVE-2023-45803 - urllib3 - Upgraded to 2.0.7 - Medium - Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
CVE-2023-37920 - certifi - Upgraded to 2024.2.2 - Low - Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi
CVE-2024-3651 - idna - Upgraded to 3.7 - Medium - Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna
CVE-2023-5752 - pip - Upgraded to 24.0 - Informational -
CVE-2022-40897 - setuptools - Upgraded to 65.5.1 - Medium -
CVE-2022-40896 - pygments - Upgraded to 2.15.1 - Medium -
CVE-2022-40898 - wheel - Upgraded to 0.41.2 - Informational -
CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium - Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests
CVE-2022-40899 - future - Upgraded to 1.0.0 - High - Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future
SVD-2024-07172024-07-012024-07-01 Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpointMedium CVE-2024-36997CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N4.6CWE-79VULN-8007 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
9.2.2
9.1.5
9.0.10
9.1.2312.100
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.100
9.2.2
9.1.5
9.0.10
9.1.2312.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability is likely to affect instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. STÖK / Fredrik Alexandersson
SVD-2024-07162024-07-012024-07-01 Information Disclosure of user namesMedium CVE-2024-36996CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3CWE-204VULN-3072 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.109
9.2.2
9.1.5
9.0.10
9.1.2312.109
SAML
SAML
SAML
SAML
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks.<br><br>This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability a 5.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
SVD-2024-07152024-07-012024-07-01 Low-privileged user could create experimental itemsMedium CVE-2024-36995CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N4.3CWE-862VULN-15941 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
REST API
REST API
REST API
REST API
REST API
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create experimental items.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. MrHack
SVD-2024-07142024-07-012024-07-01 Persistent Cross-site Scripting (XSS) in Dashboard ElementsMedium CVE-2024-36994CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79VULN-15625 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>The “ping” URL attribute and the “url” parameter do not properly validate user input. The attribute and parameter are not properly escaped, which could lead to the Stored Cross-site Scripting (XSS) exploit.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-07132024-07-012024-07-01 Persistent Cross-site Scripting (XSS) in Web BulletinMedium CVE-2024-36993CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79VULN-15649 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>Splunk Web Bulletin Messages would not sanitize the “data-toggle” and “data-remote” attributes which could lead to a Stored Cross-site Scripting (XSS) exploit.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-07122024-07-012024-07-01 Persistent Cross-site Scripting (XSS) in Dashboard ElementsMedium CVE-2024-36992CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79VULN-15645 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user.<br><br>The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-07112024-07-012024-07-01 Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on WindowsHigh CVE-2024-36991CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5CWE-35VULN-15637 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.2
9.1.5
9.0.10
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.2.2
9.1.5
9.0.10
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the `/modules/messaging/` endpoint in Splunk Enterprise on Windows.<br><br>The vulnerability exists because the Python `os.path.join` function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.<br><br>This vulnerability should only affect Splunk Enterprise on Windows.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. <br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-07102024-07-012024-07-01 Denial of Service (DoS) on the datamodel/web REST endpointMedium CVE-2024-36990CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-835VULN-15235 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.202
9.1.2312.109
9.1.2308.209
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.1.2312.200 to 9.1.2312.201
9.1.2312.100 to 9.1.2312.108
Below 9.1.2308.208
9.2.2
9.1.5
9.0.10
9.1.2312.202
9.1.2312.109
9.1.2308.209
REST API
REST API
REST API
REST API
REST API
REST API
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the “admin” or “power” Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.<br><br>The DoS could result from a condition where a data model definition contains a cyclic dependency. That dependency could lead to an infinite loop, which leads to a stack overflow and the subsequent crash of the Splunk daemon.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Anton (therceman)
SVD-2024-07092024-07-012024-07-01 Low-privileged user could create notifications in Splunk Web Bulletin MessagesMedium CVE-2024-36989CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N6.5CWE-284VULN-15234 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
9.2.2
9.1.5
9.0.10
9.1.2312.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive.<br><br>This could be the result of a lack of access control for using the Bulletin Messages system to send notifications.<br><br>It may be possible for the notifications to contain Web links. This could result in administrators navigating to other Web pages or running searches unexpectedly.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-07082024-07-012024-07-01 OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systemsInformational NANACWE-119VULN-14673 Splunk Enterprise - Linux 9.2
Splunk Enterprise - Linux 9.1
Splunk Enterprise - Linux 9.0
Universal Forwarder - Solaris 9.2
Universal Forwarder - Solaris 9.1
Universal Forwarder - Solaris 9.0
9.2.2
9.1.5
9.0.10
9.2.2
9.1.5
9.0.10
9.2.0 to 9.2.1
9.1.3 to 9.1.4
9.0.8 to 9.0.9
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.2.2
9.1.5
9.0.10
9.2.2
9.1.5
9.0.10
libcrypto
libcrypto
libcrypto
libcrypto
libcrypto
libcrypto
In certain specific versions and platform architectures of Splunk Enterprise and the Universal Forwarder, the cryptographic library for OpenSSL (libcrypto.so) was incorrectly compiled with its stack execution bit set. Setting the executable bit on .so library files is not a direct vulnerability,. <br><br>The problem affects the following versions of the Splunk platform only:<br> - Splunk Enterprise on Linux: 9.2.1, 9.2.0.1, 9.2.0, 9.1.4, 9.1.3, 9.0.9, and 9.0.8 <br> - Universal Forwarder on Solaris: all versions below 9.2.2, 9.1.5, and 9.0.10. <br><br>The problem does not affect the following versions of the Splunk platform:<br> - Splunk Enterprise on Windows or MacOS.<br> - Universal Forwarder on Windows, MacOS, Linux, FreeBSD, or AIX.Upgrade Splunk Enterprise on Linux and Universal Forwarder on Solaris to versions 9.2.2, 9.1.5, and 9.0.10, or higher.NoneThis advisory is informational only. A severity rating does not apply and the Common Vulnerability Scoring System (CVSS) is not applicable.
SVD-2024-07072024-07-012024-07-01 Insecure File Upload in the indexing/preview REST endpointMedium CVE-2024-36987CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-434VULN-10327 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
9.2.2
9.1.5
9.0.10
9.1.2312.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.<br><br>The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability would likely affect instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You could turn Splunk Web off as a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Kyle Bambrick, Splunk
SVD-2024-07062024-07-012024-07-01 Risky command safeguards bypass through Search ID query in Analytics WorkspaceMedium CVE-2024-36986CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N6.3CWE-200VULN-10317 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
Below 9.1.2312.200
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.200
9.1.2308.207
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards) in the Analytics Workspace. <br><br>The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.The vulnerability likely affects instances with the Analytics Workspace enabled. Turning off the Analytics Workplace application is a possible workaround. For more information on managing apps, see [Manage app and add-on objects](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects).<br><br>The vulnerability likely affects instances with [Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) enabled, turning Splunk Web off is a possible workaround. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web.Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web or disabled Analytics Workplace, there should be no impact and the severity would be informational. Anton (therceman)
SVD-2024-07052024-07-012024-07-01 Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk EnterpriseHigh CVE-2024-36985CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-687VULN-8937 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.2
9.1.5
9.0.10
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.2.2
9.1.5
9.0.10
splunk_archiver
splunk_archiver
splunk_archiver
In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.<br><br>The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash“.<br><br>The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.Disable the “splunk_archiver“ applicationSplunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance disabled splunk_archiver, there is no impact and the severity is Informational. Alex Hordijk
SVD-2024-07042024-07-012024-07-01 Remote Code Execution through Serialized Session Payload in Splunk Enterprise on WindowsHigh CVE-2024-36984CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-502VULN-15741 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.2
9.1.5
9.0.10
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.2.2
9.1.5
9.0.10
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.<br><br>The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-07032024-07-012024-07-01 Command Injection using External LookupsHigh CVE-2024-36983CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H8.0CWE-77VULN-15560 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.1.2312.100 to 9.1.2312.108
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.207
External Lookups
External Lookups
External Lookups
External Lookups
External Lookups
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated ”runshellscript” command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HH. Danylo Dmytriiev (DDV_UA)
SVD-2024-07022024-07-012024-07-01 Denial of Service through null pointer reference in “cluster/config” REST endpointHigh CVE-2024-36982CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5CWE-476VULN-15553 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.207
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.1.2312.100 to 9.1.2312.108
Below 9.1.2308.207
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.207
REST API
REST API
REST API
REST API
REST API
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an attacker could trigger a null pointer reference on the “cluster/config” REST endpoint, which could result in a crash of the Splunk daemon.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher. <br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. d0nahu3
SVD-2024-07012024-07-012024-07-01 Remote Code Execution through dashboard PDF generation componentHigh CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-94VULN-15197 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform 9.1.2312
Splunk Cloud Platform 9.1.2308
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.203
9.2.0 to 9.2.1
9.1.0 to 9.1.4
9.0.0 to 9.0.9
9.1.2312.100 to 9.1.2312.108
Below 9.1.2308.203
9.2.2
9.1.5
9.0.10
9.1.2312.109
9.1.2308.203
pdfgen
pdfgen
pdfgen
pdfgen
pdfgen
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.203, an authenticated user could execute arbitrary code through the dashboard PDF generation component.<br><br>The pdfgen/render REST endpoint uses a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library with a remote code execution vulnerability, as described in Common Vulnerabilities and Exposures (CVE) ID CVE-2023-33733.Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.<br><br>Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.NoneSplunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Alex Chapman (ajxchapman)
SVD-2024-03042024-03-272024-03-27 Third-Party Package Updates in Splunk Universal Forwarder - March 2024Low---- Splunk Universal Forwarder 9.2
Splunk Universal Forwarder 9.1
Splunk Universal Forwarder 9.0
9.2.1
9.1.4
9.0.9
9.2.0 to 9.2.0.1
9.1.0 to 9.1.3
9.0.0 to 9.0.8
9.2.1
9.1.4
9.0.9



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder versions 9.2.1, 9.1.4, 9.0.9 and higher, including the following:Upgrade Splunk Universal Forwarder to versions 9.2.1, 9.1.4, and 9.0.9, or higher.N/AFor the CVEs in this list, Splunk adopted the vendor's severity rating, where applicable. CVE-2024-0727, CVE-2023-5678 - Openssl - Upgraded to 1.0.2zj - Low -
multiple - curl - Upgraded from 8.0.1 to 8.5.0 - Informational - The Splunk Universal Forwarder is not affected by the CVEs listed by curl applicable to versions 8.0.1 through 8.4.0. However, out of an abundance of caution, Splunk upgraded it.
SVD-2024-03032024-03-272024-03-27 Third-Party Package Updates in Splunk Enterprise - March 2024High---- Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.1
9.1.4
9.0.9
9.2.0 to 9.2.0.1
9.1.0 to 9.1.3
9.0.0 to 9.0.8
9.2.1
9.1.4
9.0.9



Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher, including the following:Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, and 9.0.9, or higher.N/AFor the CVEs in this list, Splunk adopted the vendor's severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise. CVE-2024-0727, CVE-2023-5678 - Openssl - Upgraded to 1.0.2zj - Low -
CVE-2023-39325 - net, go - Upgraded to 0.2.0 - High - Upgraded in Splunk Assist
multiple - go - Upgraded from 1.20.10 to 1.21.5 - See vendor - Upgraded in Splunk Assist
multiple - hive-exec - Upgraded from 3.1.3 to 4.0.0-beta-1 - See vendor -
multiple - curl - Upgraded from 8.0.1 to 8.5.0 - See vendor - Splunk Enterprise is not affected by CVE-2023-38545
CVE-2021-32559 - pywin32 - Upgraded to b306 - Medium -
multiple - jackson-databind - Upgraded from 2.9.10 to 2.13.5 - See vendor - Removed jackson-databind-2.9.10 nested within $SPLUNK_HOME/bin/jars/thirdparty/common/parquet-hive-bundle-1.11.2.jar and added jackson-databind-2.13.5 under $SPLUNK_HOME/bin/jars/common
SVD-2024-03022024-03-272024-04-09 Risky command safeguards bypass in Dashboard Examples HubHigh CVE-2024-29946CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1CWE-20SPL-250341 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
Splunk Cloud Platform -
Splunk Cloud Platform -
9.2.1
9.1.4
9.0.9
9.1.2312.104
9.1.2308.205
9.2.0 to 9.2.0.1
9.1.0 to 9.1.3
9.0.0 to 9.0.8
9.1.2312.100 to 9.1.2312.103
Below 9.1.2308.205
9.2.1
9.1.4
9.0.9
9.1.2312.104
9.1.2308.205
Splunk Dashboard Studio
Splunk Dashboard Studio
Splunk Dashboard Studio
Splunk Dashboard Studio
Splunk Dashboard Studio
In Splunk Enterprise versions below 9.2.1, 9.1.4 and 9.0.9, and Splunk Cloud Platform versions below 9.1.2312.104 and 9.1.2308.205, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands, which could allow an attacker to bypass SPL safeguards for risky commands. <br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser (and in the case of Splunk Enterprise, also if Splunk Web is on).<br><br>For more information on risky commands and potential impacts, see [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards).For Splunk Enterprise, upgrade versions to 9.2.1, 9.1.4, 9.0.9, or higher.<br><br>For Splunk Cloud Platform, Splunk has put in place a mitigation, and is actively monitoring and rolling out patches across Splunk Cloud Platform instances.On Splunk Cloud Platform only, Splunk implemented network-level changes that fully mitigate the vulnerability.<br><br>On Splunk Enterprise only:<br><br>You can mitigate the vulnerability by removing the template file for the Splunk Dashboard Studio Examples Hub. This file is located at `$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/appserver/templates/example-hub.html`. This mitigation prevents the Dashboard Examples Hub from rendering.<br><br>The vulnerability affects instances with[ Splunk Web](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) turned on. You can turn Splunk Web off as a possible workaround. See[ Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the[ web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on turning Splunk Web off.<br><br>The Splunk-built Splunk Dashboard Studio app comes with Splunk Enterprise and uses the Dashboard Examples Hub. You can disable the app as a possible workaround for instances that do not run as Search Heads. See [Manage app and add-on objects - Splunk Documentation](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Managingappobjects) for more information.<br><br>**Note:** In Splunk Enterprise versions below 9.2 and Splunk Cloud Platform versions below 9.0.2205, disabling the Splunk Dashboard Studio app disables Dashboard Studio dashboard functionality. In all Splunk Enterprise and Splunk Cloud Platform versions, disabling the Splunk Dashboard Studio app breaks images and icons for Dashboard Studio dashboards and might also cause unintended problems with other Dashboard Studio functionality.The severity of this vulnerability varies based on certain conditions.<br><br>On Splunk Enterprise:<br><br>If the Splunk Enterprise environment meets the conditions that appear in the “Description” section, Splunk rates the vulnerability as High, 8.1, with a CVSSv3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.<br><br>If the Splunk Enterprise instance does not run Splunk Web or Splunk Dashboard Studio, there is no impact and the severity is Informational.<br><br>On Splunk Cloud Platform:<br><br>Splunk implemented network-level changes that fully mitigate the vulnerability. There is no impact and the severity is Informational.
SVD-2024-03012024-03-272024-03-27 Splunk Authentication Token Exposure in Debug Log in Splunk EnterpriseHigh CVE-2024-29945CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2CWE-532SPL-248977 Splunk Enterprise 9.2
Splunk Enterprise 9.1
Splunk Enterprise 9.0
9.2.1
9.1.4
9.0.9
9.2.0 to 9.2.0.1
9.1.0 to 9.1.3
9.0.0 to 9.0.8
9.2.1
9.1.4
9.0.9



In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure could happen when either Splunk Enterprise runs in debug mode or the `JsonWebToken` component has been configured to log its activity at the DEBUG logging level. Normally, Splunk Enterprise runs with debug mode and token authentication turned off, as well as the `JsonWebToken` process configured at the INFO logging level. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.<div> <p data-renderer-start-pos="2009">There are multiple solutions depending on how you have configured the Splunk Enterprise instance.</p> <p data-renderer-start-pos="2108">First, determine whether or not debug logging is on, either globally or for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.</p> <ol class="ak-ol" start="1" data-indent-level="1"> <li> <p data-renderer-start-pos="2328">To determine the current global logging mode on the instance:</p> <ol class="ak-ol" start="1" data-indent-level="2"> <li> <p data-renderer-start-pos="2393">In a web browser, visit the Server Logging Settings page in Splunk Web at <code class="code css-1o5d2cw" data-renderer-mark="true">/en-US/manager/system/server/logger</code>.</p> </li> <li> <p data-renderer-start-pos="2536">Review the Logging Level column on the page that loads. If every row in this column shows DEBUG as the logging level, then the Splunk Enterprise instance is in debug mode. Otherwise, it is not in debug mode.</p> </li> </ol> </li> <li> <p data-renderer-start-pos="2749">To determine the current logging level for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> processor:</p> <ol class="ak-ol" start="1" data-indent-level="2"> <li> <p data-renderer-start-pos="2830">In a web browser, search for the JsonWebToken processor configuration by visiting <code class="code css-1o5d2cw" data-renderer-mark="true">/en-US/manager/system/server/logger?search=JsonWebToken</code>.</p> </li> <li> <p data-renderer-start-pos="2986">Review the Logging level column for the processor. If this row has a value of DEBUG, then the processor currently logs its activity at the DEBUG level.</p> </li> </ol> </li> </ol> <p data-renderer-start-pos="3143">See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging" href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Enabledebuglogging" data-testid="link-with-safety" data-renderer-mark="true">Enable debug logging</a> for more information.</p> <p data-renderer-start-pos="3192">If either of these steps determines that debug logging is on, either globally or for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component, then remedy the problem by performing the following tasks:</p> <ol class="ak-ol" start="1" data-indent-level="1"> <li> <p data-renderer-start-pos="3374">Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or higher.</p> </li> <li> <p data-renderer-start-pos="3447">Delete the following log file on the Splunk Enterprise instance: <code class="code css-1o5d2cw" data-renderer-mark="true">$SPLUNK_HOME/var/log/splunk/splunkd.log</code></p> </li> <li> <p data-renderer-start-pos="3555">Log into Splunk Web on the Splunk Enterprise instance and delete all log file events for the <code class="code css-1o5d2cw" data-renderer-mark="true">JsonWebToken</code> component from the _internal index by running the following search command:<br /> <code class="code css-1o5d2cw" data-renderer-mark="true">index=_internal component=JsonWebToken | delete</code><br />Note: The delete SPL command requires the can_delete role, which administrators do not receive by default. See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete" href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete" data-testid="link-with-safety" data-renderer-mark="true">delete</a> for more info on the delete search command.</p> </li> <li> <p data-renderer-start-pos="3958">While you are logged in, rotate any potentially exposed authentication tokens. See <a class="css-tgpl01" title="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens" href="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens" data-testid="link-with-safety" data-renderer-mark="true">Manage or delete authentication tokens</a> for more information.</p> </li> </ol> </div><p>If it isn&rsquo;t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:</p> <ol class="ak-ol" start="1"> <li> <p>If the Splunk Enterprise instance runs in debug mode, turn it off. Restart the instance without using the <code>--debug</code> argument.</p> </li> <li> <p>If you don&rsquo;t use tokens to authenticate users on the Splunk Enterprise instance and token authentication is on, turn it off. See <a href="http://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTokenAuth">Enable or disable token authentication</a> for more information.</p> </li> <li> <p>If the JsonWebToken component is at the DEBUG logging level, raise it to the INFO level.</p> <ol class="ak-ol" start="1"> <li> <p>Log into Splunk Web on the Splunk Enterprise instance and visit the Server Logging page as described previously.</p> </li> <li> <p>Select the JsonWebToken component, change its logging level to INFO, then select Save.</p> </li> </ol> </li> <li> <p>View the <code>$SPLUNK_HOME/etc/log.cfg</code> logging configuration files and confirm that the JsonWebToken component is at the INFO logging level. Look for a line in the file that says <code>category.JsonWebToken=</code>. If it equals DEBUG, raise the logging level to INFO by doing the following:</p> <ol class="ak-ol" start="1"> <li> <p>Edit the <code>$SPLUNK_HOME/etc/log.cfg</code> file.</p> </li> <li> <p>Add the line <code>category.JsonWebToken=INFO</code> to this file.</p> </li> <li> <p>Save the file.</p> </li> <li> <p>Repeat Steps 4a-4c with the <code>log-local.cfg</code> file, if it exists.</p> </li> <li> <p>Restart Splunk Enterprise for the changes to <code>log.cfg</code>or <code>log-local.cfg</code> to take effect. Note: Confirm that you do not use the <code>--debug</code> flag to restart Splunk Enterprise.</p> </li> </ol> </li> <li> <p>Delete the following log file: <code>$SPLUNK_HOME/var/log/splunk/splunkd.log</code></p> </li> <li> <p>Delete all the Splunk Enterprise log file events from the _internal index by running the following search command: <br> <div><code>index=_internal component=JsonWebToken | delete</code></div> <br>Note: The delete command requires the can_delete role, which administrators do not receive by default. See <a href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete">delete</a> for more info on the delete search command.</p> </li> <li> <p>While you are logged in, rotate any potentially exposed authentication tokens. See <a href="https://docs.splunk.com/Documentation/Splunk/latest/Security/ManageAuthTokens">Manage or delete authentication tokens</a> for more information.</p> </li> </ol><div> <p data-renderer-start-pos="6130">Splunk rates this vulnerability as informational, or falling between a 6.7, Medium, and a 7.2, High. The following scenarios affect the score:</p> <ul class="ak-ul" data-indent-level="1"> <li> <p data-renderer-start-pos="6600">If token authentication is turned off, then the vulnerability does not affect this Splunk Enterprise instance and the advisory is Informational.</p> </li> <li> <p data-renderer-start-pos="6404">If you limit access to the _internal index to holders of the admin role only, then the CVSS score lowers to 6.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.</p> </li> <li> <p data-renderer-start-pos="6404">If admin users have provided lower-privilege users access to the _internal index, then the CVSS score would be 7.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.</p> </li> </ul> </div> Alex Napier, Splunk
SVD-2024-01122024-01-302024-01-30 Third-Party Package Updates in Splunk Add-on Builder - January 2024High---- Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Add-on Builder version 4.1.4, including the following:For Splunk Add-on Builder, upgrade to version 4.1.4. <br> <br> Splunk Add-on Builder replicates the requests Python HTTP library to custom apps and add-ons. After you upgrade Splunk Add-on Builder, review the following additional information if you use Add-on Builder to edit custom apps or add-ons: <br> &nbsp;&nbsp;&nbsp;&nbsp;1. Use Add-on Builder to edit and save the affected app. See the [Add-on Builder documentation](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Overview) for more information.<br> &nbsp;&nbsp;&nbsp;&nbsp;2. Restart Splunk Enterprise <br> <br> If the custom app or add-on is also installed on instances without Add-on Builder, you must package the upgraded custom app or add-on, then install it on the instances. See [Validate and Package](https://docs.splunk.com/Documentation/AddonBuilder/latest/UserGuide/Validate) and [Package apps](https://dev.splunk.com/enterprise/docs/releaseapps/packageapps/) for more information. <br> <br> For affected apps and add-ons that are already on SplunkBase, as a third-party developer, you must publish an updated version of the app or add-on to SplunkBase. For more information, see [Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase](https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/). Cloud-vetted apps are subject to the [Cloud Vetting Change Policy](https://dev.splunk.com/enterprise/docs/releaseapps/cloudvetting/#Cloud-Vetting-Change-Policy). <br> <br> Note: The Splunk Add-on Builder does not replicate the semver (Semantic Version parser) library to custom apps and add-ons.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-32681 - requests - Upgraded to 2.31.0 - Medium -
CVE-2022-25883 - semver - Upgraded to 5.7.2 - High -
SVD-2024-01112024-01-302024-01-30 Sensitive Information Disclosure to Internal Log Files in Splunk Add-on BuilderHigh CVE-2023-46230CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L8.2CWE-532ADDON-63640 Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
Add-on Builder
In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events.N/ASplunk rates this vulnerability as a 8.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L. Vikram Ashtaputre, Splunk
SVD-2024-01102024-01-302024-01-30 Session Token Disclosure to Internal Log Files in Splunk Add-on BuilderHigh CVE-2023-46231CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H8.8CWE-532ADDON-63902 Splunk Add-on Builder -
4.1.4
Below 4.1.4
4.1.4
Add-on Builder
In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.Upgrade Splunk Add-on Builder to version 4.1.4 or higher, delete the logs, and delete the events.N/ASplunk rates this vulnerability as a 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Vikram Ashtaputre, Splunk
SVD-2024-01092024-01-222024-01-26 Third-Party Package Updates in Splunk Enterprise - January 2024High---N/A Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.8
9.1.3
9.0.0 to 9.0.7
9.1.0 to 9.1.2
9.0.8
9.1.3
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.0.8 and 9.1.3, including the following:Upgrade Splunk Enterprise to version 9.0.8, 9.1.3, or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. Multiple* - golang, in Splunk Assist - Upgraded golang from 1.20.7 to 1.20.10 - See vendor -
Multiple* - golang, in mongodump and mongorestore - Upgraded golang from 1.19** to 1.20.10 - See vendor -
CVE-2022-40899 - future, Python 3, in Upgrade Readiness App - Upgraded to 0.18.3 - High -
CVE-2022-40899 - future, Python 2, in Upgrade Readiness App - Upgraded to 0.18.3 - High -
CVE-2023-37920 - certifi - Patched*** - Low -
SVD-2024-01082024-01-222024-01-30 Deserialization of Untrusted Data on Splunk Enterprise for Windows through Path Traversal from Separate Disk PartitionHigh CVE-2024-23678CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H7.5CWE-20SPL-240674 Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.8
9.1.3
9.0.0 to 9.0.7
9.1.0 to 9.1.2
9.0.8
9.1.3
Splunk Web
Splunk Web
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.Upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.<br><br>This vulnerability does not affect Splunk Cloud Platform.If users do not log in to Splunk Web on instances in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br>Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.<br><br>If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. Danylo Dmytriiev (DDV_UA)
SVD-2024-01072024-01-222024-01-22 Server Response Disclosure in RapidDiag Salesforce.com Log FileMedium CVE-2024-23677CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-532SPL-225757 Splunk Enterprise 9.0
Splunk Cloud -
9.0.8
9.0.2208
9.0.0 to 9.0.7
Versions below 9.0.2208
9.0.8
9.0.2208
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses to an external application upload request in a log file. The log files might contain sensitive information.Upgrade Splunk Enterprise to 9.0.8 or higher. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.N/ASplunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Vikram Ashtaputre, Splunk
SVD-2024-01062024-01-222024-01-23 Sensitive Information Disclosure of Index Metrics through “mrollup” SPL CommandMedium CVE-2024-23676CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N4.6CWE-20SPL-245947 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.8
9.1.3
9.1.2308.200
9.0.0 to 9.0.7
9.1.0 to 9.1.2
Versions below 9.1.2308.200
9.0.8
9.1.3
9.1.2308.200
Splunk Web
Splunk Web
Splunk Web
In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit. See [Splunk Enterprise Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) for information on Metrics.Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web in a distributed environment, disable Splunk Web on those instances. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification file for more information on disabling Splunk Web. <br><br>If users do not need access to metrics indexes, remove authorization to search those indexes. See [About configuring role-based user access](https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles) for information on how to configure role-based user access.Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. Anton (therceman)
SVD-2024-01052024-01-222024-01-30 Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection DeletionMedium CVE-2024-23675CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N6.5CWE-284SPL-246067 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.8
9.1.3
9.1.2312.100
9.0.0 to 9.0.7
9.1.0 to 9.1.2
Versions below 9.1.2312.100
9.0.8
9.1.3
9.1.2312.100
Splunk REST API
Splunk REST API
Splunk REST API
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Remove the `list_all_objects` capability from users that do not require it. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) for more information. If you are not using KV Store, you can disable it. See [Disable the KV store](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) for more information. Note: removing the list_all_objects capability may significantly impair user functionality.Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. Julian Kaufmann
SVD-2024-01042024-01-092024-01-09 Splunk User Behavior Analytics (UBA) Third-Party Package UpdatesHigh---UBA-16652 Splunk User Behavior Analytics (UBA) -
Splunk User Behavior Analytics (UBA) -
5.3.0
5.2.1
Below 5.3.0
Below 5.2.1
5.3.0
5.2.1
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk User Behavior Analytics (UBA) versions 5.3.0 and 5.2.1, including the following:Upgrade Splunk User Behavior Analytics (UBA) to version 5.3.0, 5.2.1, or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-32695 - socket.io-parser - Upgraded to 4.6.2 - High -
CVE-2015-5237 - protobuf - Upgraded to 3.21.12 - High -
CVE-2022-3171 - protobuf - Upgraded to 3.21.12 - High -
CVE-2022-3509 - protobuf - Upgraded to 3.21.12 - High -
CVE-2022-3510 - protobuf - Upgraded to 3.21.12 - High -
CVE-2023-2976 - Guava - Upgraded to 32.0.1 - High -
SVD-2024-01032024-01-092024-01-11 Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024Critical---- Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise Security (ES) versions 7.1.2, 7.2.0 and higher, including the following:Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-45133 - babel/traverse - Upgraded to 7.23.2 - High -
CVE-2021-23446 - handsontable - Upgraded to 13.1.0 - High -
CVE-2022-25883 - semver - Upgraded to 6.3.1 - High -
CVE-2022-37599 - loader-utils - Upgraded to 1.4.2 - High -
CVE-2022-37603 - loader-utils - Upgraded to 1.4.2 - High -
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical -
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High -
SVD-2024-01022024-01-092024-01-10 Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creationMedium CVE-2024-22165CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-20SOLNESS-35977 Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users.Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or higher.N/ASplunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Eric LaMothe, Splunk
SVD-2024-01012024-01-092024-01-10 Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachmentsMedium CVE-2024-22164CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L4.3CWE-400SOLNESS-35980 Splunk Enterprise Security (ES) 7.3
Splunk Enterprise Security (ES) 7.2
Splunk Enterprise Security (ES) 7.1
7.3.0
7.2.0
7.1.2
-
-
Below 7.1.2
7.3.0
7.2.0
7.1.2
-
-
-
In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the investigation. The attachment endpoint does not properly limit the size of the request, which lets an attacker cause the investigation to become inaccessible.<br>The vulnerability requires the authenticated, collaborator access to the Investigation and only affects the availability of an affected Investigation.Upgrade Splunk Enterprise Security (ES) to versions 7.1.2, 7.2.0, 7.3.0 or higher.N/ASplunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. Vikram Ashtaputre, Splunk
SVD-2023-11072023-11-162023-12-18 November 2023 Splunk Universal Forwarder Third-Party UpdatesLow---- Splunk Universal Forwarder 9.0
Splunk Universal Forwarder 9.1
9.0.7
9.1.2
9.0.0 to 9.0.6
9.1.0 to 9.1.1
9.0.7
9.1.2
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 9.0.7 or 9.1.2.N/AFor the CVEs in this list, Splunk adopted the vendor's severity. CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low -
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low -
SVD-2023-11062023-11-162024-01-11 November 2023 Third-Party Package Updates in Splunk Cloud PlatformCritical---- Splunk Cloud -
9.1.2308.100
Below 9.1.2308
9.1.2308.100
Splunk Web
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 9.1.2308.100 of Splunk Cloud Platform.Splunk is actively upgrading and monitoring instances of Splunk Cloud Platform.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Critical -
CVE-2023-24329 - python - Upgraded to 3.7.17 - High -
CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low -
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low -
SVD-2023-11052023-11-162023-11-16 November 2023 Third Party Package updates in Splunk EnterpriseHigh---- Splunk Enterprise 9.0
Splunk Enterprise 9.1
9.0.7
9.1.2
9.0.0 to 9.0.6
9.1.0 to 9.1.1
9.0.7
9.1.2
Splunk Web
Splunk Web
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2.N/ASplunk Enterprise does not use bottle and is not impacted by CVE-2022-31799. Otheriwse, for the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2021-22570 - protobuf - Upgraded to 3.15.8 - Medium -
CVE-2022-31799 - bottle - Upgraded to 0.12.25 - Informational -
CVE-2023-24329 - python - Upgraded to 3.7.17 - High -
CVE-2023-3817 - openssl - Upgraded to 1.0.2zi - Low -
CVE-2023-3446 - openssl - Upgraded to 1.0.2zi - Low -
SVD-2023-11042023-11-162023-12-12 Remote code execution (RCE) in Splunk Enterprise through Insecure XML ParsingHigh CVE-2023-46214CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H8.0CWE-91SPL-241695 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.7
9.1.2
9.1.2308
9.0.0 to 9.0.6
9.1.0 to 9.1.1
Versions below 9.1.2308
9.0.7
9.1.2
9.1.2308
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If you cannot upgrade, limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input.<br><br>Edit the `web.conf` configuration file and add the following configuration on instances where you want to limit the ability of search job requests to accept XSL:<br><br>`[settings]`<br>`enableSearchJobXslt = false`<br><br>For more information on modifying the web.conf configuration file, see [How to edit a configuration file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile) and the [web.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) configuration specification. For earlier Splunk Enterprise versions, review the web.conf specification for availability of the `enableSearchJobXslt` setting.Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. Alex Hordijk
SVD-2023-11032023-11-162023-11-20 Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search PageMedium CVE-2023-46213CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N4.8CWE-79VULN-5768 Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
9.0.7
9.1.2
9.1.2308
9.0.0 to 9.0.6
9.1.0 to 9.1.1
Versions below 9.1.2308
9.0.7
9.1.2
9.1.2308
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.<br><br>This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way.Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components]([https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents)) and the [web.conf configuration specification]([https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)) file in the Splunk documentation for more information on disabling Splunk Web.<br>Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N<br>If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational. Joshua Neubecker
SVD-2023-11022023-11-162023-11-16 Third Party Package Update in Splunk Add-on for Google Cloud PlatformCritical---- Splunk Add-on for Google Cloud Platform -
4.3.0
Below 4.3.0
4.3.0
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 4.3.0 of Splunk Add-on for Google Cloud Platform.For Splunk Add-on for Google Cloud Platform, upgrade versions to 4.3.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical -
CVE-2023-45803 - urllib3 - Upgraded to 1.26.18 - Medium -
CVE-2023-43804 - urllib3 - Upgraded to 1.26.18 - High -
CVE-2023-44270 - postcss - Upgraded to 8.4.31 - Medium -
CVE-2022-25883 - semver - Upgraded to 6.3.1 and 7.5.4 - High -
SVD-2023-11012023-11-162023-11-16 Third Party Package Update in Splunk Add-on for Amazon Web ServicesCritical---- Splunk Add-on for Amazon Web Services -
7.2.0
Below 7.2.0
7.2.0
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in version 7.2.0 of Splunk Add-on for Amazon Web Services, including the following:Upgrade the Splunk Add-on for Amazon Web Services to version 7.2.0 or higher.N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-37920 - certifi - Upgraded to 2023.7.22 - Critical -
SVD-2023-10012023-10-062023-10-06 Splunk Statement on CVE-2023-4863 libwebp VulnerabilityInformational----In early September 2023, Google disclosed a High-rated vulnerability, CVE-2023-4863, that affects Google Chrome and the libwebp library, which is part of the WebP image codec. Splunk has determined that CVE-2023-4863 does not affect Splunk products. If you have a product in your environment that CVE-2023-4863 does affect, upgrade the product per the recommendations from the product vendor.None. CVE-2023-4863 does _not_ affect Splunk products.NoneInformational CVE-2023-4863 - libwebp - Not affected - Informational -
SVD-2023-08112023-08-302023-08-30 Third Party Package Updates in IT Service Intelligence (ITSI)High---- Splunk ITSI 4.15
Splunk ITSI 4.13
4.15.3
4.13.3
4.15.0 to 4.15.2
4.13.0 to 4.13.2
4.15.3
4.13.3
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk IT Service Intelligence (ITSI), including the following:For Splunk IT Service Intelligence (ITSI), upgrade versions to 4.13.3 or 4.15.3N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2023-2976 - guava - Upgraded to 32.0.0 - High -
SVD-2023-08102023-08-302023-09-29 Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)High CVE-2023-4571CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117ITSI-31707 Splunk ITSI 4.13
Splunk ITSI 4.15
Splunk ITSI 4.17
4.13.3
4.15.3
4.17.1
4.13.0 to 4.13.2
4.15.0 to 4.15.2
4.17.0
4.13.3
4.15.3
4.17.1
-
-
-
In Splunk IT Service Intelligence (ITSI) versions below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.For Splunk ITSI, upgrade to version 4.13.3, 4.15.3, or 4.17.1. Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch/<session_id>/itsi_search.log. On Windows ITSI instances, the log files are in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\<session_id>\itsi_search.log.As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: * the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).” The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-08092023-08-302023-08-30 August Third Party Package Updates in Splunk Universal ForwarderHigh---- Universal Forwarder 8.2
Universal Forwarder 9.0
Universal Forwarder 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 8.2.12, 9.0.6, or 9.1.1N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2021-30560 - libxslt - Patched - High -
CVE-2021-30560 - libxslt - Patched - High -
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27535 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High -
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High -
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42915 - curl - Upgraded to 8.0.1 - High -
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low -
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical -
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium -
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low -
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High -
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical -
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High -
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium -
CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical -
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium -
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High -
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High -
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium -
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High -
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High -
CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High -
SVD-2023-08082023-08-302024-02-14 August 2023 Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 8.2.12, 9.0.6, or 9.1.1N/AFor the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards. CVE-2022-38900 - decode-uri-component - Upgraded to 6.0.0 - High -
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium -
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical -
CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High -
CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium -
CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High -
CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High -
CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High -
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical -
CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High -
CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High -
CVE-2022-31129 - moment - Upgraded to 2.29.4 - High -
CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High -
CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High -
CVE-2022-24999 - qs - Upgraded to 6.5.3 - High -
CVE-2022-25881 - http-cache-semantics - Upgraded to 4.1.1 - High -
CVE-2022-42003 - jackson-databind - Upgraded to 2.13.5 - High -
CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High -
CVE-2021-41182 - jquery-ui - Upgraded to 1.13.2 - Medium -
CVE-2021-41183 - jquery-ui - Upgraded to 1.13.2 - Medium -
CVE-2021-41184 - jquery-ui - Upgraded to 1.13.2 - Medium -
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High -
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical -
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High -
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium -
CVE-2021-3520 - lz4 - Upgraded to. 1.9.4 - Critical -
CVE-2020-14155 - pcre2 - Upgraded to 10.40 - Medium -
CVE-2019-20454 - pcre2 - Upgraded to 10.40 - High -
CVE-2019-20838 - pcre2 - Upgraded to 10.40 - High -
CVE-2022-35737 - sqlite - Upgraded to 3.41.2 - High -
CVE-2022-23491 - certifi - Patched* - High -
CVE-2022-23491 - certifi - Upgraded to 2023.5.7** - High -
Multiple - curl - Upgraded to 8.0.1*** - High -
Multiple - go - Updated golang in mongotools**** - Critical -
CVE-2021-30560 - libxslt - Patched***** - High -
CVE-2022-2309 - lxml - Patched****** - High -
SVD-2023-08072023-08-302023-10-18 Command Injection in Splunk Enterprise Using External LookupsHigh CVE-2023-40598CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H8.5CWE-77SPL-230071 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.<br><br>The vulnerability revolves around the currently-deprecated `runshellscript` command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively upgrading and monitoring Splunk Cloud deployments.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-08062023-08-302023-10-18 Absolute Path Traversal in Splunk Enterprise Using runshellscript.pyHigh CVE-2023-40597CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H7.8CWE-36VULN-5304 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.<br><br>The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.<br><br>The exploit requires the attacker to have write access to the drive on which they place the exploit script.<br>This vulnerability only affects Splunk Enterprise Instances that run on Windows.Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1. <br><br>This vulnerability does not affect Splunk Cloud Platform instances.No mitigationsSplunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. <br><br>This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational. Danylo Dmytriiev (DDV_UA)
SVD-2023-08052023-08-302023-08-30 Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLLHigh CVE-2023-40596CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.0CWE-665VULN-4474 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
8.2.12
9.0.6
9.1.1
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine. As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform.Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review [Harden Your Windows Installation](https://docs.splunk.com/Documentation/Splunk/latest/Security/HardenyourWindowsinstallation).Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. Will Dormann, Vul Labs
SVD-2023-08042023-08-302023-10-18 Remote Code Execution via Serialized Session PayloadHigh CVE-2023-40595CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-502PRODSECOPS-25334 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.<br><br>The exploit requires the use of the `collect` SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.<br><br>If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. Danylo Dmytriiev (DDV_UA)
SVD-2023-08032023-08-302023-10-18 Denial of Service (DoS) via the ‘printf’ Search FunctionMedium CVE-2023-40594CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H6.5CWE-400SPL-235294 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2303.100
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2209 and lower
8.2.12
9.0.6
9.1.1
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.<br><br>The `printf` function does not properly validate expressions in certain cases in combination with commands like `fieldformat` that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. <br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Danylo Dmytriiev (DDV_UA)
SVD-2023-08022023-08-302023-10-18 Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML RequestMedium CVE-2023-40593CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H6.3CWE-400SPL-219455 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud -
8.2.12
9.0.6
9.0.2205
8.2.0 to 8.2.11
9.0.0 to 9.0.5
8.2.2203
8.2.12
9.0.6
9.0.2205
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.<br><br>The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation.Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. <br><br>If your Splunk Enterprise Instance does not use SAML as an authentication scheme for SSO, it is not affected and this vulnerability can be considered informational. Aaron Devaney (Dodekeract)
SVD-2023-08012023-08-302023-10-18 Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpointHigh CVE-2023-40592CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H8.4CWE-79VULN-5287 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Splunk Cloud -
8.2.12
9.0.6
9.1.1
9.0.2305.200
8.2.0 to 8.2.11
9.0.0 to 9.0.5
9.1.0
9.0.2305.100 and below
8.2.12
9.0.6
9.1.1
9.0.2305.200
Splunk Web
Splunk Web
Splunk Web
Splunk Web
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.<br><br>A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.<br><br>Splunk is actively monitoring and patching Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) file in the Splunk documentation for more information on disabling Splunk Web.Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Danylo Dmytriiev (DDV_UA)
SVD-2023-07022023-07-312023-10-18 Unauthenticated Log Injection In Splunk SOARHigh CVE-2023-3997CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117SPL-241869 Splunk SOAR (On-premises)
Splunk SOAR (Cloud)
6.1.0
6.1.0
6.0.2 and lower
6.0.2 and lower
6.1.0
6.1.0
SOAR
SOAR
In Splunk SOAR versions lower than 6.1.0, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code. This vulnerability does not directly affect Splunk SOAR, only indirectly through the permissions in the user’s terminal. The indirect impact on Splunk SOAR can vary significantly depending on the permissions in the vulnerable terminal application and where and how the terminal user reads the malicious log file. For example, a terminal user can unknowingly copy the malicious file from the Splunk SOAR instance and read it on their local machine. In this case, that local machine would be affected.Splunk SOAR (On-premises): Upgrade to version 6.1.0. Splunk SOAR (Cloud): No action is required. Splunk is actively patching and monitoring the Splunk SOAR (Cloud) instances.If it is not currently practical to upgrade to Splunk SOAR version 6.1.0, you can partially mitigate the risk. As a partial, general mitigation, you can protect Splunk SOAR users from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or by using a terminal application that supports the filtering of ANSI codes.Splunk rates this vulnerability as High, 8.6, with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk SOAR instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector”. In most vulnerabilities that Splunk rates, the vector would align with CVSS metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following: *“The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”* The attack mirrors this qualification, requiring another user to open a malicious document, for example, the injected log file. Because of this, Splunk rated this Attack Vector as “Local” per the CVSS v3.1 Specification Document. **Attack Complexity:** This vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting this vulnerability. **Privileges Required:** This vulnerability does not require additional privileges and occurs through an unauthenticated web request to Splunk SOAR. **User Interaction:** This vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** This vulnerability does not affect Splunk SOAR directly, only indirectly through the authorized permissions in the user’s terminal. This vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, this vulnerability qualifies for a Change in Scope, as defined by the CVSS standard. **Confidentiality/Integrity/Availability:** This vulnerability enables potential remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for Confidentiality, Integrity and Availability. The indirect impact on Splunk SOAR might vary significantly depending on how the terminal user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-07012023-07-172023-07-17 Splunk SOAR Cryptography Python Package Upgrade IncompatibilityInformational---- Splunk SOAR (On-premises) 6.1
Splunk SOAR (Cloud) 6.1
6.1.1
6.1.1
6.1.1 and above
6.1.1 and above
6.1.1
6.1.1
Custom Apps
Custom Apps
In Splunk Security Orchestration, Automation and Response (SOAR) version 6.1.1, Splunk upgraded the Python cryptography library within the app to version 41.0.1. This version of the cryptography library may cause Python module import problems during execution, if a specific version of the library is used for a custom app. The problem occurs when the cryptography library that you specify as a dependency for your custom app is a version that is lower than or equal to version 39.0.1.To address the incompatibility, specify a version of the library package on your custom app dependency to a version that is higher than 39.0.1. For more information on how to create a custom app using the SOAR App Wizard, see [Create an app with the App Wizard](https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/CreateAnAppWithTheAppEditor) in the Splunk SOAR documentation.N/AN/A CVE-2023-23931 - Cryptography, Python - Upgraded to 41.0.1 - Medium -
CVE-2023-0286 - Cryptography, Python - Upgraded to 41.0.1 - High -
SVD-2023-06152023-06-012023-06-01 June Third Party Package Updates in Splunk CloudHigh---- Splunk Cloud
9.0.2303.100
9.0.2303 and lower
9.0.2303.100
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Cloud, including the following:For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High -
CVE-2022-40304 - libxml2 - Patched - High -
CVE-2022-23491 - certifi - Upgraded to 2022.12.7 - High -
CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High -
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium -
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium -
SVD-2023-06142023-06-012023-06-01 June Third Party Package Updates in Splunk Universal ForwardersCritical---- Universal Forwarders 8.1
Universal Forwarders 8.2
Universal Forwarders 9.0
8.1.14
8.2.11
9.0.5
8.1.13 and Lower
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Universal Forwarder, including the following:For Splunk Universal Forwarder, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High -
CVE-2022-40304 - libxml2 - Patched - High -
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium -
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical -
CVE-2023-27535 - curl - Upgraded to 8.0.1 - High -
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High -
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High -
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low -
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical -
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium -
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low -
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High -
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical -
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High -
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium -
CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical -
CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High -
CVE-2018-25032 - zlib - Applied patch - High -
CVE-2022-37434 - zlib - Applied patch - Critical -
SVD-2023-06132023-06-012024-01-09 June Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.14
8.2.11
9.0.5
8.1.13 and Lower
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
-
-
-
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following:For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.N/AFor the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards. CVE-2022-40303 - libxml2 - Patched - High -
CVE-2022-40304 - libxml2 - Patched - High -
CVE-2023-0286 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2023-0215 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - High -
CVE-2022-4304 - OpenSSL 1.0.2 - Upgraded to 1.0.2zg - Medium -
CVE-2023-27538 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27537 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-27536 - curl - Upgraded to 8.0.1 - Critical -
CVE-2023-27535 - curl - Upgraded to 8.0.1 - High -
CVE-2023-27534 - curl - Upgraded to 8.0.1 - High -
CVE-2023-27533 - curl - Upgraded to 8.0.1 - High -
CVE-2023-23916 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23915 - curl - Upgraded to 8.0.1 - Medium -
CVE-2023-23914 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-43552 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-43551 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42916 - curl - Upgraded to 8.0.1 - High -
CVE-2022-42915 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-35260 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32221 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-35252 - curl - Upgraded to 8.0.1 - Low -
CVE-2022-32208 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32207 - curl - Upgraded to 8.0.1 - Critical -
CVE-2022-32206 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-32205 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-30115 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27782 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27781 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27780 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27779 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27778 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27776 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-27775 - curl - Upgraded to 8.0.1 - High -
CVE-2022-27774 - curl - Upgraded to 8.0.1 - Medium -
CVE-2022-22576 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22947 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22946 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22945 - curl - Upgraded to 8.0.1 - Critical -
CVE-2021-22926 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22925 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22924 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22923 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22922 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22901 - curl - Upgraded to 8.0.1 - High -
CVE-2021-22898 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22897 - curl - Upgraded to 8.0.1 - Medium -
CVE-2021-22890 - curl - Upgraded to 8.0.1 - Low -
CVE-2021-22876 - curl - Upgraded to 8.0.1 - Medium -
CVE-2020-8286 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8285 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8284 - curl - Upgraded to 8.0.1 - Low -
CVE-2020-8231 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8177 - curl - Upgraded to 8.0.1 - High -
CVE-2020-8169 - curl - Upgraded to 8.0.1 - High -
CVE-2022-36227 - libarchive - Upgraded to 3.6.2 - Critical -
CVE-2021-31566 - libarchive - Upgraded to 3.6.2 - High -
CVE-2021-36976 - libarchive - Upgraded to 3.6.2 - Medium -
CVE-2021-3520 - lz4 - Upgraded to 1.9.4 - Critical -
CVE-2022-35737 - SQLite - Upgraded to 3.41.2 - High -
CVE-2018-25032 - zlib - Applied patch - High -
CVE-2022-37434 - zlib - Applied patch - Critical -
CVE-2020-15138 - prismjs - Upgraded to 1.2.9 - High -
CVE-2022-37616 - xmldom - Upgraded to 0.7.9 - Critical -
CVE-2021-29060 - color-string - Upgraded to 1.5.5 - Medium -
CVE-2022-38900 - decode-uri-component - Upgraded to 0.2.1 - High -
CVE-2020-28469 - glob-parent - Upgraded to 5.1.2 - High -
CVE-2022-46175 - json5 - Upgraded to 1.0.2 - High -
CVE-2022-46175 - json5 - Upgraded to 2.2.3 - High -
CVE-2022-37599 - loader-utils - Upgraded to 2.0.4 - High -
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical -
CVE-2022-37603 - loader-utils - Upgraded to 2.0.4 - High -
CVE-2022-3517 - minimatch - Upgraded to 3.0.5 - High -
CVE-2022-31129 - moment - Upgraded to 2.29.4 - High -
CVE-2021-23343 - path-parse - Upgraded to 1.0.7 - High -
CVE-2021-23368 - postcss - Upgraded to 7.0.36 - Medium -
CVE-2021-23382 - postcss - Upgraded to 7.0.36 - High -
CVE-2022-43680 - python3 - Upgraded to 3.7.16 - High -
CVE-2022-24999 - qs - Upgraded to 6.5.3 - High -
CVE-2020-7753 - ssri - Uppgraded to 6.0.2 - High -
CVE-2022-25858 - terser - Upgraded to 4.8.1 - High -
CVE-2021-3803 - nth-check - Upgraded to 2.0.1 - High -
CVE-2020-7753 - trim - Upgraded to 0.0.3 - High -
CVE-2021-33587 - css-what - Upgraded to 5.0.1 - High -
CVE-2020-8116 - dot-prop - Upgraded to 4.2.1 - High -
CVE-2020-13822 - elliptic - Upgraded to 6.5.4 - High -
CVE-2022-33987 - got - Upgraded to 12.5.3 - Medium -
CVE-2022-4200 - jackson-databind - Upgraded to 2.13.5 - Medium -
CVE-2022-42004 - jackson-databind - Upgraded to 2.13.5 - High -
CVE-2023-1370 - json-smart - Upgraded to 2.4.9 - High -
CVE-2019-20149 - kind-of - Upgraded to 6.0.3 - High -
CVE-2022-37601 - loader-utils - Upgraded to 1.4.2 - Critical -
CVE-2022-37601 - loader-utils - Upgraded to 2.0.4 - Critical -
CVE-2020-8203 - lodash - Upgraded to 4.17.21 - High -
CVE-2019-10744 - lodash-es - Upgraded to 4.17.21 - Critical -
CVE-2022-40023 - mako - Patched* - High -
CVE-2022-40023 - mako - Upgraded to 1.2.4** - High -
CVE-2019-10746 - mixin-deep - Upgraded to 1.3.2 - Critical -
CVE-2021-23382 - postcss - Upgraded to 7.0.37 - High -
CVE-2021-33502 - normalize-url - Upgraded to 6.1.0 - High -
CVE-2021-27292 - ua-parser-js - Upgraded to 0.7.35 - High -
CVE-2021-33503 - urllib3 - Upgraded to 1.26.6 - High -
CVE-2020-7662 - websocket-extensions - Upgraded to 0.1.4 - High -
CVE-2020-7774 - y18n - Upgraded to 4.0.3 - Critical -
CVE-2022-23806 - go, crypto/elliptic - Upgraded go to 1.2 - Critical -
CVE-2022-23772 - go, math/big - Upgraded go to 1.2 - High -
CVE-2021-43565 - go, x/crypto - Upgraded go to 1.2 - High -
CVE-2022-30580 - go, os/exec - Upgraded go to 1.2 - High -
CVE-2022-30633 - go, encoding/xml - Upgraded go to 1.2 - High -
CVE-2022-28131 - go, encoding/xml - Upgraded go to 1.2 - High -
CVE-2022-30632 - go, path/filepath - Upgraded go to 1.2 - High -
CVE-2022-41716 - go - Upgraded go to 1.2 - High -
CVE-2022-28327 - go, crypto/elliptic - Upgraded go to 1.2 - High -
CVE-2022-24921 - go - Upgraded go to 1.2 - High -
CVE-2022-30630 - go, io/fs - Upgraded go to 1.2 - High -
CVE-2022-27191 - go, crypto/ssh - Upgraded go to 1.2 - High -
CVE-2022-23773 - go, cmd/go - Upgraded go to 1.2 - High -
CVE-2022-30634 - go, crypto/rand - Upgraded go to 1.2 - High -
CVE-2022-41715 - go - Upgraded go to 1.2 - High -
CVE-2022-24675 - go, encoding/pem - Upgraded go to 1.2 - High -
CVE-2022-41720 - go - Upgraded go to 1.2 - High -
CVE-2022-27664 - go, net/http - Upgraded go to 1.2 - High -
CVE-2022-2880 - go, net/http - Upgraded go to 1.2 - High -
CVE-2022-29804 - go, path/filepath - Upgraded go to 1.2 - High -
CVE-2022-32189 - go, math/big - Upgraded go to 1.2 - High -
CVE-2022-30635 - go, encoding/gob - Upgraded go to 1.2 - High -
CVE-2022-30631 - go, compress/gzip - Upgraded go to 1.2 - High -
CVE-2022-2879 - go - Upgraded go to 1.2 - High -
CVE-2022-1705 - go, net/http - Upgraded go to 1.2 - Medium -
CVE-2022-1962 - go, go/parse - Upgraded go to 1.2 - Medium -
CVE-2022-29526 - go, sys - Upgraded go to 1.2 - Medium -
CVE-2022-32148 - go, net/http - Upgraded go to 1.2 - Medium -
CVE-2022-30629 - go, crypto/tls - Upgraded go to 1.2 - Low -
CVE-2017-16042 - Growl - Upgraded to 1.10.5 - Critical -
CVE-2021-20095 - Babel - Upgraded to 2.9.1 - Medium -
SVD-2023-06122023-06-012023-06-01 Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search ResultsMedium CVE-2023-32717CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-237454 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An unauthorized user can access the '/services/indexing/preview' REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the 'edit_monitor' and 'edit_upload_and_index' capabilities assigned to it.For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.Remove the 'edit_monitor' and 'edit_upload_and_index' capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them.Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Scott Calvert, Splunk
SVD-2023-06112023-06-012023-06-01 Denial of Service via the 'dump' SPL commandMedium CVE-2023-32716CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-754SPL-235572 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An attacker can exploit a vulnerability in the 'dump' SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance.For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.Remove the 'run_dump' capability from any roles that users hold.Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-06102023-06-012023-06-01 Self Cross-Site Scripting (XSS) on Splunk App for Lookup File EditingMedium CVE-2023-32715CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N4.7CWE-79LOOKUP-176 Splunk App for Lookup File Editing 4.0
4.0.1
4.0 and lower
4.0.1

A user can insert potentially malicious JavaScript code into the Splunk App for Lookup File Editing, which causes the code to run on the user’s machine.Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher.Disable the Splunk App for Lookup File Editing if you do not require it and cannot upgrade it. If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web.Splunk rated this vulnerability as Medium, 4.7, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N.
SVD-2023-06092023-06-012023-06-01 Information Disclosure via the ‘copyresults’ SPL CommandMedium CVE-2023-32710CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N4.8CWE-200SPL-234996 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and lower
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/ASplunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. Anton (therceman)
SVD-2023-06082023-06-012023-06-01 Path Traversal in Splunk App for Lookup File EditingHigh CVE-2023-32714CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N8.1CWE-35LOOKUP-177 Splunk App for Lookup File Editing 4.0
4.0.1
4.0 and lower
4.0.1

A low-privileged user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.Upgrade the Splunk App for Lookup Editing to version 4.0.1 or higher.N/ASplunk rated the vulnerability as High, 8.1, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. Torjus Bryne Retterstøl, Binary Security
SVD-2023-06072023-06-012023-06-01 Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for StreamHigh CVE-2023-32713CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H7.8CWE-269STREAM-5290 Splunk App for Stream 8.1
8.1.1
8.1 and lower
8.1.1
streamfwd
A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.Upgrade the Splunk App for Stream to version 8.1.1 or higher.* Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix). * Limit user access to the ‘streamfwd’ process by removing all but privileged users' ability to run the process. * Disable the Splunk App for Stream if you do not require it and cannot upgrade it.Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational. Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux)
SVD-2023-06062023-06-012023-10-18 Unauthenticated Log Injection in Splunk EnterpriseHigh CVE-2023-32712CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H8.6CWE-117SPL-235259 Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Enterprise 9.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Universal Forwarder 9.1
8.2.11.2
9.0.5.1
9.1.0.2
8.2.12
9.0.6
9.1.1
8.2.0 to 8.2.11.1
9.0.0 to 9.0.5
9.1.0 to 9.1.0.1
8.2.11 and below
9.0.0 to 9.0.5
9.1.0 to 9.1.0.1
8.2.11.2
9.0.5.1
9.1.0.2
8.2.12
9.0.6
9.1.1
-
-
-
REST API
REST API
REST API
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations: * The forwarders have been configured to have management services active * The active management services are exposed and accessible from the network By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See [SVD-2022-0605](https://advisory.splunk.com/advisories/SVD-2022-0605) for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. For Splunk Enterprise, upgrade to version 8.2.11.2, 9.0.5.1, or 9.1.0.2. For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface. Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory.As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes. For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost). For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost. To deactivate remote management services on Universal Forwarder: * In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file on UF, under the [httpServer] stanza, give the `disableDefaultPort` setting a value of `true`, or, under the [general] stanza, give the `allowRemoteLogin` setting a value of `never`. See [Configure universal forwarder management security](https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the [server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) configuration file, under the [httpServer] stanza, give the `mgmtMode` setting a value of `UDS` (or `default`).Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. **Attack Vector:** The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for "Attack Vector." In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the "Local" metric. Specifically, the second qualification states the following: _the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)._" The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as "Local" per the CVSS v3.1 Specification Document. **Attack Complexity:** The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability. **Privileges Required:** The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance. **User Interaction:** The vulnerability requires users to open or read the malicious document, file, or log for successful execution. **Scope:** The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope. **Confidentiality/Integrity/Availability:** The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application. STÖK / Fredrik Alexandersson
SVD-2023-06052023-06-012023-06-01 Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard ViewMedium CVE-2023-32711CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4CWE-79SPL-234890 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.14
8.2.11
9.0.5
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
8.1.14
8.2.11
9.0.5
Splunk Web
Splunk Web
Splunk Web
A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. This vulnerability does not affect Splunk Cloud Platform instances.If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See [Disable unnecessary Splunk Enterprise components](https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents) and the [web.conf configuration specification file](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf) in the Splunk documentation for more information on disabling Splunk Web.Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Danylo Dmytriiev (DDV_UA)
SVD-2023-06042023-06-012023-06-01 Low-privileged User can View Hashed Default Splunk PasswordMedium CVE-2023-32709CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-285SPL-235016 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.N/ASplunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N If the initial admin password has been changed, then there is no impact and the severity is Informational. Anton (therceman)
SVD-2023-06032023-06-012023-06-01 HTTP Response Splitting via the ‘rest’ SPL CommandHigh CVE-2023-32708CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2CWE-113SPL-235203 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and lower
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the 'max_searches_per_process' setting a value of either 1 or 0. For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Danylo Dmytriiev (DDV_UA)
SVD-2023-06022023-06-012023-06-01 ‘edit_user’ Capability Privilege EscalationHigh CVE-2023-32707CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8CWE-285SPL-232088 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges.Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Mr Hack (try_to_hack) Santiago Lopez
SVD-2023-06012023-06-012023-06-01 Denial Of Service due to Untrusted XML Tag in XML Parser within SAML AuthenticationHigh CVE-2023-32706CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H7.7CWE-611SPL-224292 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform 9.0.2303 and below
8.1.14
8.2.11
9.0.5
9.0.2303.100
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4

8.1.14
8.2.11
9.0.5
9.0.2303.100
Splunk Web
Splunk Web
Splunk Web
Splunk Web
An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see [Configure single sign-on with SAML](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/HowSAMLSSOworks) in the Splunk documentation.Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational. Vikram Ashtaputre, Splunk
SVD-2023-02152023-02-142023-02-14 February Third Party Package Updates in Splunk EnterpriseHigh---- Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
-
-
-
-
CVE-2021-21419 - Python 2.7, eventlet - Upgraded to 2.7.18.4 - Informational -
CVE-2021-28957 - Python 2.7, lxml - Upgraded to 2.7.18.4 - Medium -
CVE-2022-24785 - Moment.js - Upgraded to 2.29.4 - High -
CVE-2022-31129 - Moment.js - Upgraded to 2.29.4 - High -
CVE-2022-32212 - Node.js - Applied patch - High -
CVE-2015-20107 - Python 3.7 - Applied patch - Informational -
CVE-2021-3517 - Libxml2 - Applied patch - High -
CVE-2021-3537 - Libxml2 - Applied patch - Medium -
CVE-2021-3518 - Libxml2 - Applied patch - High -
SVD-2023-02142023-02-142023-02-14 Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell)Informational---- CVE-2022-42889 - - - -
SVD-2023-02132023-02-142023-02-14 Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDKMedium CVE-2023-22943CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N4.8CWE-636ADDON-58725 Splunk Add-on Builder 4.1
Splunk CloudConnect SDK 3.1
4.1.2
3.1.3
4.1.1 and lower
3.1.2 and lower
4.1.2
3.1.3
cloudconnectlib
-
Chris Green
SVD-2023-02122023-02-142023-02-14 Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk EnterpriseMedium CVE-2023-22942CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L5.4CWE-352SPL-232619 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.13
8.2.10
9.0.4
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
8.1.13
8.2.10
9.0.4
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02112023-02-142023-02-14 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk DaemonMedium CVE-2023-22941CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5CWE-248SPL-232645 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02102023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk EnterpriseMedium CVE-2023-22940CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N6.3CWE-20SPL-232369 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02092023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk EnterpriseHigh CVE-2023-22939CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1CWE-20SPL-230588 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Klevis Luli, Splunk
SVD-2023-02082023-02-142023-02-14 Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk EnterpriseMedium CVE-2023-22938CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-229337 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2212
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2212
Splunk Web
Splunk Web
Splunk Web
Splunk Web
James Ervin, Splunk
SVD-2023-02072023-02-142023-02-14 Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk EnterpriseMedium CVE-2023-22937CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-20SPL-229185 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
SVD-2023-02062023-02-142023-02-14 Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk EnterpriseMedium CVE-2023-22936CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L6.3CWE-918SPL-228937 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2023-02052023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk EnterpriseHigh CVE-2023-22935CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1CWE-20SPL-228738 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02042023-02-142023-02-14 SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk EnterpriseHigh CVE-2023-22934CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N7.3CWE-20SPL-228734 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209.3
8.1.12 and lower
8.2.0 to 8.2.9
9.0.0 to 9.0.3
9.0.2209 and lower
8.1.13
8.2.10
9.0.4
9.0.2209.3
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2023-02032023-02-142023-02-14 Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk EnterpriseHigh CVE-2023-22933CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H8.0CWE-79SPL-228264 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
9.0.4
9.0.2209
8.1.12 and lower
8.2.0 to 8.2.9
9.0. to 9.0.3
9.0.2208 and lower
8.1.13
8.2.10
9.0.4
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2023-02022023-02-142023-02-14 Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk EnterpriseHigh CVE-2023-22932CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N8.0CWE-79SPL-232819 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
-
-
9.0.4
9.0.2209.3
Not affected
Not affected
9.0.0 to 9.0.3
9.0.2209 and lower
-
-
9.0.4
9.0.2209.3
-
-
Splunk Web
Splunk Web
Tim Coen (foobar7)
SVD-2023-02012023-02-142023-02-14 ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk EnterpriseMedium CVE-2023-22931CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N4.3CWE-285SPL-216628 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.13
8.2.10
-
8.2.2203
8.1.12 and lower
8.2.0 to 8.2.9
Not affected
8.2.2202 and lower
8.1.13
8.2.10
-
8.2.2203
Search
Search
-
Search
James Ervin, Splunk
SVD-2022-11132022-11-022023-02-14 November Third Party Package updates in Splunk EnterpriseHigh Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform -
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
-
-
-
-
CVE-2020-36518 - jackson-databind - Upgraded to 2.13.2.1 - High -
CVE-2021-32036 - mongodb - Updgraded to 4.2.19 or 4.2.17-v4 - Medium -
SVD-2022-11122022-11-022022-11-02 Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk EnterpriseHigh CVE-2022-43572CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H7.5, HighCWE-400SPL-224974 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209.3
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2209 and lower
8.1.12
8.2.9
9.0.2
9.0.2209.3
Indexing
Indexing
Indexing
Indexing
SVD-2022-11112022-11-022022-11-02 Remote Code Execution through dashboard PDF generation component in Splunk EnterpriseHigh CVE-2022-43571CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-94SPL-228720 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209




Danylo Dmytriiev (DDV_UA)
SVD-2022-11102022-11-022022-11-02 XML External Entity Injection through a custom View in Splunk EnterpriseHigh CVE-2022-43570CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-611SPL-228310 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11092022-11-022022-11-02 Persistent Cross-Site Scripting via a Data Model object name in Splunk EnterpriseHigh CVE-2022-43569CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H8.0, HighCWE-79SPL-228087 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2209
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2208 and lower
8.1.12
8.2.9
9.0.2
9.0.2209
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11082022-11-022022-11-02 Reflected Cross-Site Scripting via the radio template in Splunk EnterpriseHigh CVE-2022-43568CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8, HighCWE-79SPL-228379 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2203.4 and lower
8.1.12
8.2.9
9.0.2
9.0.2205
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11072022-11-022022-11-02 Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts featureHigh CVE-2022-43567CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8, HighCWE-502SPL-226837 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform Splunk Secure Gateway
8.1.12
8.2.9
9.0.2
9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2203.4 and lower
8.1.12
8.2.9
9.0.2
9.0.2205
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Secure Gateway
Splunk Web
Danylo Dmytriiev (DDV_UA)
SVD-2022-11062022-11-022022-11-02 Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk EnterpriseHigh CVE-2022-43566CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N7.3, HighCWE-20SPL-223730 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Anton (therceman)
SVD-2022-11052022-11-022022-11-02 Risky command safeguards bypass via ‘tstats’ command JSON in Splunk EnterpriseHigh CVE-2022-43565CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1, HighCWE-20SPL-224121 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2203
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2202 and lower
8.1.12
8.2.9

9.0.2203
Search
Search

Search
Cuong Dong at Splunk
SVD-2022-11042022-11-022022-11-02 Denial of Service in Splunk Enterprise through search macrosMedium CVE-2022-43564CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H4.9, MediumCWE-400SPL-220964 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2205
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2203.4 and lower
8.1.12
8.2.9

9.0.2205
REST API
REST API

REST API
SVD-2022-11032022-11-022022-11-11 Risky command safeguards bypass via 'rex' search command field names in Splunk EnterpriseHigh CVE-2022-43563CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1, HighCWE-20SPL-223646 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9

9.0.2203
8.1.11 and lower
8.2.0 to 8.2.8
Not affected
9.0.2202 and lower
8.1.12
8.2.9

9.0.2203
Search
Search

Search
Cuong Dong at Splunk
SVD-2022-11022022-11-022022-11-02 Host Header Injection in Splunk EnterpriseLow CVE-2022-43562CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N3.0, LowCWE-20SPL-224156 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Ali Mirheidari at Splunk
SVD-2022-11012022-11-022022-11-02 Persistent Cross-Site Scripting in “Save Table” Dialog in Splunk EnterpriseMedium CVE-2022-43561CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H6.4, MediumCWE-79SPL-207040 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.12
8.2.9
9.0.2
9.0.2208
8.1.11 and lower
8.2.0 to 8.2.7=8
9.0.0 to 9.0.1
9.0.2205 and lower
8.1.12
8.2.9
9.0.2
9.0.2208
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Mr Hack (try_to_hack)
SVD-2022-11142022-11-012022-11-01 Splunk’s response to OpenSSL’s CVE-2022-3602 and CVE-2022-3786High Splunk Enterprise
Universal Forwarders
Splunk Cloud Platform
Splunk Observatibility Platform
SOAR Cloud
SOAR
SOAR Automation Broker
Enterprise Security
Splunk Security Essentials
IT Service Intelligence
Splunk UBA
Data Stream Processor
Splunk Addon for Active Directory
Splunk Addon for Add-on for Infrastructure
Splunk Addon for Add-on for Microsoft Exchange
Splunk Addon for Add-on for VMware
Splunk Addon for Amazon Kinesis Firehose
Splunk Addon for Amazon Web Services
Splunk Addon for Apache Web Server
Splunk Addon for Bit9 Carbon Black
Splunk Addon for Blue Coat ProxySG
Splunk Addon for BMC Remedy
Splunk Addon for Box
Splunk Addon for Bromium
Splunk Addon for Check Point OPSEC LEA
Splunk Addon for Cisco ASA
Splunk Addon for Cisco ESA
Splunk Addon for Cisco FireSIGHT
Splunk Addon for Cisco Identity Services
Splunk Addon for Cisco UCS
Splunk Addon for Citrix NetScaler
Splunk Addon for CyberArk
Splunk Addon for F5 BIG-IP
Splunk Addon for Forcepoint Web Security
Splunk Addon for Google Cloud Platform
Splunk Addon for HAProxy
Splunk Addon for IBM WebSphere Application Server
Splunk Addon for Imperva SecureSphere WAF
Splunk Addon for Infoblox
Splunk Addon for ISC BIND
Splunk Addon for ISC DHCP
Splunk Addon for Java Management Extensions
Splunk Addon for JBoss
Splunk Addon for Juniper
Splunk Addon for Kafka
Splunk Addon for Linux
Splunk Addon for McAfee
Splunk Addon for McAfee Web Gateway
Splunk Addon for Microsoft Cloud Services
Splunk Addon for Microsoft Hyper-V
Splunk Addon for Microsoft IIS
Splunk Addon for Microsoft Office 365
Splunk Addon for Microsoft SQL Server
Splunk Addon for Microsoft Windows
Splunk Addon for MySQL
Splunk Addon for Nagios Core
Splunk Addon for NGINX
Splunk Addon for OPC
Splunk Addon for Oracle Database
Splunk Addon for OSSEC
Splunk Addon for RSA DLP
Splunk Addon for RSA SecurID
Splunk Addon for Salesforce
Splunk Addon for ServiceNow
Splunk Addon for Sophos
Splunk Addon for Squid Proxy
Splunk Addon for Stream Addon for Wire Data
Splunk Addon for Symantec DLP
Splunk Addon for Symantec Endpoint Protection
Splunk Addon for Tomcat
Splunk Addon for Unix and Linux
Splunk Addon for Websense DLP
Splunk Addon for Zeek
Splunk App for AWS
Splunk App for Common Information Model (CIM)
Splunk App for DB Connect
Splunk App for DB Connect - Older Unsupported versions
Splunk App for Info Sec
Splunk App for InfoSec App for Splunk
Splunk App for Infrastructure
Splunk App for IT Essentials Learn
Splunk App for IT Essentials Work
Splunk App for Machine Learning Toolkit (MLTK) and Python for Scientific Computing (PSC)
Splunk App for Microsoft Exchange
Splunk App for NetApp Data ONTAP
Splunk App for PCI Compliance
Splunk App for Security Essentials
Splunk App for Splunk Product Guidance
Splunk App for Stream
Splunk App for Unix and Linux
Splunk App for VMware
Splunk App for Windows
Splunk App for Windows Infrastructure
Splunk Add-on Builder
Splunk AppInspect
Splunk SDKs
Splunk Logging Library for Java
Security Analytics for AWS
Splunk Add-on for VMware Metrics
Splunk App for Content Packs
Splunk App for Infrastructure (SAI)
Splunk App for Mint
Splunk Application Performance Monitoring
Splunk Assist
Splunk Augmented Reality
Splunk Cloud Data Manager (SCDM)
Splunk Cloud Developer Edition
Splunk Connect for Kafka
Splunk Connect for Kubernetes
Splunk Connect for Kubernetes-OpenTelemetry
Splunk Connect for SNMP
Splunk Connect for Syslog
Splunk DB TA LAR
Splunk Edge Hub
Splunk Enterprise Amazon Machine Image (AMI)
Splunk Enterprise Docker Container
Splunk Infrastructure Monitoring
Splunk Log Observer
Splunk Mint Android SDK
Splunk Mint IOS SDK
Splunk Mint Management console
Splunk Mobile
Splunk Network Performance Monitoring
Splunk On-Call/Victor Ops/SSA
Splunk OVA for VMware
Splunk OVA for VMWare Metrics
Splunk Profiling
Splunk Real User Monitoring
Splunk Secure Gateway
Behavioral Analytics
Splunk Stream Forwarder
Splunk Synthetics
Splunk TV
Splunk UBA OVA Software
Splunk VMWare OVA for ITSI







































































































































Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected
Not affected














































































































































































































































































CVE-2022-3602 - OpenSSL - NA - High -
CVE-2022-3786 - OpenSSL - NA - High -
SVD-2022-08042022-08-162023-03-08 August Third Party Package updates in Splunk Enterprise and Universal ForwardersMedium Universal Forwarder 8.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.11
8.2.7.1
9.0.1
8.1.11
8.2.7.1
9.0.1
9.0.2205
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.2.2203.4 and lower
8.1.11
8.2.7.1
9.0.1
8.1.11
8.2.7.1
9.0.1
9.0.2205
-
-
-
-
-
-
-
CVE-2022-2068 - OpenSSL1.0.2 - Upgraded to OpenSSL 1.0.2zf - Informational -
CVE-2021-3541 - libxml2 - Applied patch - Medium -
CVE-2022-29824 - libxml2 - Applied patch - Medium -
CVE-2022-23308 - libxml2 - Applied patch - Informational -
SVD-2022-08032022-08-162022-08-16 Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring inputMedium CVE-2022-37439CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H5.5CWE-409TBD Universal Forwarder 8.1
Universal Forwarder 8.2
Universal Forwarder 9.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.11
8.2.7.1
-
8.1.11
8.2.7.1
-
8.1.10 and lower
8.2.0 to 8.2.7
Not affected
8.1.10 and lower
8.2.0 to 8.2.7
Not affected
8.1.11
8.2.7.1
-
8.1.11
8.2.7.1
-
Monitor Processor
Monitor Processor
-
Monitor Processor
Monitor Processor
-
Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC)
SVD-2022-08022022-08-162022-08-16 Information disclosure via the dashboard drilldown in Splunk EnterpriseLow CVE-2022-37438CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N2.6CWE-200SPL-221531 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
Splunk Cloud Platform
8.1.11
8.2.7.1
9.0.1
9.0.2205
8.1.10 and lower
8.2.0 to 8.2.7
9.0.0
8.2.2203.4 and lower
8.1.11
8.2.7.1
9.0.1
9.0.2205
Splunk Web
Splunk Web
Splunk Web
Splunk Web
Eric LaMothe at Splunk
SVD-2022-08012022-08-162022-08-16 Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validationHigh CVE-2022-37437CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-224209 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
-
-
9.0.1
Not affected
Not affected
9.0.0
-
-
9.0.1
-
-
Ingest Actions
Eric LaMothe at Splunk
Ali Mirheidari at Splunk
SVD-2022-06082022-08-162022-07-18 Splunk Enterprise deployment servers allow client publishing of forwarder bundlesCritical CVE-2022-32158CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H9.0CWE-284SPL-176829 Splunk Enterprise 8.1
Splunk Enterprise 8.2
Splunk Enterprise 9.0
8.1.10.1
8.2.6.1
-
Versions before 8.1.10.1
8.2.0 to 8.2.6
Not affected
8.1.10.1
8.2.6.1
-
Deployment Server
Deployment Server
-
Nadim Taha at Splunk
SVD-2022-06072022-08-162022-07-18 Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloadsHigh CVE-2022-32157CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5CWE-306SPL-176828 Splunk Enterprise 9.0
9.0.0
Versions before 9.0
9.0.0
Deployment Server
Nadim Taha at Splunk
Paul Schultze at E.ON Digital Technology GmbH
Martin Müller at Consist
SVD-2022-06062022-06-142022-07-18 Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validationHigh CVE-2022-32156CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-49451 Splunk Enterprise 9.0
Universal Forwarder 9.0
9.0.0
9.0.0
Versions before 9.0
Versions before 9.0
9.0.0
9.0.0
-
-
Chris Green at Splunk
SVD-2022-06052022-06-142022-06-14 Universal Forwarder management services allow remote login by defaultInfo CVE-2022-32155---SPL-140396 Universal Forwarder 9.0
9.0.0
Versions before 9.0
9.0.0
-
Chris Green at Splunk
SVD-2022-06042022-06-142022-07-18 Risky commands warnings in Splunk Enterprise dashboardsMedium CVE-2022-32154CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N6.8CWE-20SPL-201816 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.1.2106
Versions before 9.0
Versions before 8.1.2106
9.0.0
8.1.2106
-
-
Chris Green at Splunk
Danylo Dmytriiev (DDV_UA)
Anton (therceman)
SVD-2022-06032022-06-142022-07-18 Splunk Enterprise lacked TLS host name certificate validationHigh CVE-2022-32153CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-297SPL-202894 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-06022022-06-142022-07-18 Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by defaultHigh CVE-2022-32152CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-295SPL-114067, SPL-138957 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-06012022-06-142022-07-18 Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by defaultHigh CVE-2022-32151CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N7.4CWE-295SPL-173641, SPL-129677 Splunk Enterprise 9.0
Splunk Cloud Platform -
9.0.0
8.2.2203
Versions before 9.0
Versions before 8.2.2203
9.0.0
8.2.2203
-
-
Chris Green at Splunk
SVD-2022-05072022-05-032022-05-03 Error message discloses internal pathMedium CVE-2022-26070CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3CWE-200SPL-180503 Splunk Enterprise 8.1
8.1.0
Versions below 8.1
8.1.0
Splunk Web
Dipak Prajapati (Lethal)
SVD-2022-05062022-05-032022-05-03 Path Traversal in search parameter results in external content injectionHigh CVE-2022-26889CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8CWE-20SPL-197247 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.2
-
8.1.1 and earlier
Not affected
8.1.2
-
Splunk Web
-
Jason Tsang Mui Chung
SVD-2022-05052022-05-032022-05-03 Reflected XSS in a query parameter of the Monitoring ConsoleHigh CVE-2022-27183CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8CWE-79SPL-201205 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.4
-
8.1.3 and earlier
Not affected
8.1.4
-
Splunk Monitoring Console
-
Danylo Dmytriiev (DDV_UA)
SVD-2022-05042022-05-032022-05-03 Bypass of Splunk Enterprise's implementation of DUO MFAHigh CVE-2021-26253CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1CWE-287SPL-172887 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.6
-
8.1.5 and earlier
Not affected
8.1.6
-
-
-
Sanket Bhimani
SVD-2022-05032022-05-032022-05-03 S2S TcpToken authentication bypass High CVE-2021-31559CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N7.5CWE-288SPL-203370 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.5
8.2.1
8.1.4 and earlier
8.2.0
8.1.5
8.2.1
-
-
Chris Samley at GE
SVD-2022-05022022-05-032022-05-03 Username enumeration through lockout message in REST APIMedium CVE-2021-33845CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3CWE-203SPL-194168 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.7
-
8.1.6 and earlier
Not affected
8.1.7
-
-
-
Kyle Bambrick at Splunk
SVD-2022-05012022-05-032022-05-03 Local privilege escalation via a default path in Splunk Enterprise WindowsHigh CVE-2021-42743CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H8.8CWE-427SPL-195186 Splunk Enterprise 8.1
Splunk Enterprise 8.2
8.1.1
-
8.1.0 and earlier
Not affected
8.1.1
-
-
-
SVD-2022-03012022-03-242022-05-03 Indexer denial-of-service via malformed S2S requestHigh CVE-2021-3422CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5CWE-125SPL-198396 Splunk Enterprise 7.3
Splunk Enterprise 8.0
Splunk Enterprise 8.1
Splunk Enterprise 8.2
7.3.9
8.0.9
8.1.3
-
7.3.8 and earlier
8.0.0 to 8.0.8
8.1.0 to 8.1.2
Not affected
7.3.9
8.0.9
8.1.3
-
-
-
-
-
Sharon Brizinov and Tal Keren of Claroty
SVD-2021-12012021-12-102022-01-07 Splunk Security Advisory for Apache Log4j (CVE-2021-44228, CVE-2021-45046 and others)Critical CVE-2021-44228 - - - -
CVE-2021-45046 - - - -
SP-CAAAQAF2019-02-192019-02-19 Persistent Cross Site Scripting in Splunk Web (SPL-138827, CVE-2019-5727)High-7.3-SPL-138827
SP-CAAAQAD2019-01-142019-01-14 Untrusted TLS server certs verification is not present (CVE-2019-5729)High----
SP-CAAAP5T2018-09-282018-09-28 Splunk Enterprise and Splunk Light address multiple vulnerabilitiesHigh----
SP-CAAAP5E2018-06-182018-06-18 Splunk response to CVE-2018-11409: Information ExposureLow----
SP-CAAAPUE2017-12-152016-12-22 Splunk Enterprise 6.4.5 addresses multiple vulnerabilities----SPL-129207, SPL-128812
SP-CAAAP3M2017-11-272017-11-27 Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root userHigh----
SP-CAAAP3K2017-11-142017-11-14 Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilitiesSplunk Enterprise and Splunk Light address multiple vulnerabilitiesCritical----
SP-CAAAP3H2017-08-212017-08-21 Splunk Enterprise 6.6.3 and Splunk Light 6.6.3 address multiple vulnerabilitiesHigh----
SP-CAAAP2U2017-06-062017-07-24 Splunk Enterprise 6.3.11 and Splunk Light 6.5.3 address one vulnerabilityLow---SPL-135602
SP-CAAAPZ32017-05-052017-05-12 Splunk Enterprise 6.5.3, 6.2.13.1 and Splunk Light 6.5.2 address multiple vulnerabilitiesMedium----
ERP-20412017-05-052017-05-12 Splunk response to Path Traversal vulnerability in Splunk Hadoop Connect AppHigh----
SP-CAAAP2K2017-03-242017-03-24 Splunk Enterprise 6.4.7 and Splunk Light 6.5.3 address multiple vulnerabilitiesMedium---SPL-135650, SPL-137327, SPL-135341
SP-CAAAPYC2017-02-232017-08-07 Splunk Enterprise 6.4.6 and Splunk Light 6.5.2 address one vulnerabilityMedium----
SP-CAAAPW82017-01-252017-01-25 Splunk Enterprise 6.2.13 addresses multiple vulnerabilitiesMedium---SPL-130721, SPL-130279
SP-CAAAPSV2016-11-122016-12-22 Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities-----
SP-CAAAPSR2016-11-102017-06-06 Splunk Enterprise 6.5.0, 6.4.4, 6.3.8, 6.2.12, 6.1.12, 6.0.13, and 5.0.17 address multiple vulnerabilitiess-----
SP-CAAAPQ62016-08-222016-08-22 Splunk Enterprise 6.4.3 and Splunk Light 6.4.3 address one vulnerabilityMedium---SPL-117212
SP-CAAAPQM2016-07-282016-07-28 Splunk Enterprise 6.4.2, 6.3.6, 6.2.11, 6.1.11, 6.0.12, 5.0.16 and Splunk Light 6.4.2 address multiple security vulnerabilitiesMedium----
SP-CAAAPN92016-06-062016-06-06 Splunk Enterprise 6.3.5 and Splunk Light 6.3.5 address two vulnerabilitiesMedium----
SP-CAAAPKV2016-04-062016-04-06 Splunk Enterprise 6.3.3.4, 6.2.9. 6.1.10, 6.0.11, and 5.0.15 and Splunk Light 6.3.3.4 and 6.2.9 address multiple vulnerabilitiesMedium----
SP-CAAAPC32015-11-192015-11-19 Splunk response to Path Traversal vulnerability in Splunk Hadoop Connect AppMedium---SPL-106324
SP-CAAAPAM2015-09-142015-09-14 Splunk 4.2.3 addresses two vulnerabilitiesHigh---SPL-104724
SP-CAAAN7C2015-07-072015-07-07 Splunk Enterprise 6.2.4 and Splunk Light 6.2.4 address two vulnerabilitiesMedium---SPL-101718, SPL-100313
SP-CAAAN4P2015-05-272015-05-27 Splunk Enterprise 6.1.8, 6.0.9, and 5.0.13 address multiple vulnerabilitiesLow-2.6-SPL-98351
SP-CAAAN842015-05-112015-10-07 Splunk Enterprise 6.2.5, 6.1.9, 6.0.10, 5.0.14 and Splunk Light 6.2.5 address multiple vulnerabilitiesMedium---SPL-102133, SPL-103044
SP-CAAANZ72015-04-302015-08-13 Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilitiesHigh---SPL-98531, SPL-96280, SPL-95798, SPL-95594
SP-CAAANXD2015-03-242015-03-24 Splunk Enterprise 6.2.2 addresses two vulnerabilitiesMedium---SPL-95206, SPL-95205, SPL-95204, SPL-97914, SPL-91660
SP-CAAANV82015-02-232015-02-23 Splunk Enterprise 6.2.2 addresses two vulnerabilitiesHigh---SPL-95203, SPL-93754
SP-CAAANVJ2015-01-282015-01-29 Splunk response to "GHOST" Vulnerability (CVE-2015-0235)High----
SP-CAAANU52015-01-282015-01-29 Splunk response to January 2015 OpenSSL vulnerabilitiesHigh----
SP-CAAANST2014-11-192014-11-19 Splunk Enterprise versions 6.0.7 and 5.0.11 address three vulnerabilities---SPL-91947, SPL-92062, SPL-89216
SP-CAAANR72014-11-112014-11-11 Splunk Enterprise 6.1.5 addresses two vulnerabilities-4.3-SPL-91948, SPL-92061
SP-CAAANKE2014-10-142014-12-23 Splunk response to SSLv3 "POODLE" vulnerability (CVE-2014-3566)-5.4--
SP-CAAANHS2014-09-302014-11-20 Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities---SPL-88585, SPL-88587, SPL-88588, SPL-89216, SPL-85579, SPL-85360
SP-CAAANJN2014-09-292014-09-30 Splunk response to "shellshock" vulnerabilities----
SP-CAAANE22014-09-032014-09-24 Splunk Enterprise 6.0.6 addresses two vulnerabilities---SPL-88587, SPL-85360
SP-CAAAM9H2014-08-042014-08-04 Splunk Enterprise 6.1.3 addresses two vulnerabilities---SPL-85595, SPL-84887
SP-CAAAM2D2014-07-012014-07-01 Splunk 6.0.3 addresses two vulnerabilities---SPL-85063, SPL-85063
SP-CAAAMSH2014-05-092014-05-14 Splunk Enterprise 6.0.4 addresses one vulnerability-3.5-SPL-79922
SP-CAAAMB32014-04-10 Splunk 6.0.3 addresses two vulnerabilities----
SP-CAAAKQX2014-03-282014-03-28 Splunk 5.0.8 addresses one vulnerability-3.5-SPL-74017
SP-CAAAJD52013-12-172014-03-25 Splunk 6.0.1 addresses one vulnerability-7.8-SPL-75668
SP-CAAAJCD2013-11-152013-12-17 Splunk 5.0.6 addresses one vulnerability-3.5-SPL-74327
SP-CAAAH762013-09-232014-03-10 Splunk 5.0.5 addresses one vulnerability---SPL-70250
SP-CAAAH322013-07-292013-07-29 Splunk 5.0.4 addresses one vulnerability-1-SPL-65987
SP-CAAAHXG2013-05-282013-05-28 Splunk 5.0.3 addresses multiple vulnerabilities---SPL-59895, SPL-60250, SPL-61546
SP-CAAAHSQ2013-04-202013-04-20 Splunk 4.3.6 addresses one vulnerability-4.0-SPL-60629
SP-CAAAHB42012-11-162012-11-16 Splunk 4.3.5 and 5.0 address three vulnerabilities---SPL-50671, SPL-5515, SPL-55521
SP-CAAAHDG2012-11-012012-11-01 Splunk 5.0 updates to python 2.7.3, addressing two vulnerabilities----
SP-CAAAGTK2012-03-052012-03-26 Splunk 4.3.1 addresses one vulnerability---SPL-38585
SP-CAAAGMM2011-12-122011-12-20 Splunk 4.2.5 addresses three vulnerabilities---SPL-44614, SPL-45172, SPL-45243
SP-CAAAGGH2011-10-192011-10-19 Splunk 4.2.4 addresses two vulnerabilities---SPL-42471, SPL-42474
SP-CAAAGD32011-08-092011-08-09 Splunk 4.2.3 addresses two vulnerabilities---SPL-40804, SPL-40645
SP-CAAAF722011-06-152011-06-15 Open Redirect in Splunk Web-3.6-SPL-38704
SP-CAAAF5K2011-04-182011-04-18 Reflected XSS with Splunk Web-6.0-SPL-38585
SP-CAAAFW62011-02-102011-2-10 Splunk 4.1.7 addresses five security vulnerabilities---SPL-34355, SPL-35709, SPL-35710, SPL-37226, SPL-37227
SP-CAAAFVU2010-12-012010-12-01 Splunk 4.1.6 updates OpenSSL to 0.9.8p address CVE-2010-3864----
SP-CAAAFQ62010-09-092010-09-09 Splunk 4.1.5 addresses two security vulnerabilities---SPL-31061, SPL-31094
SP-CAAAFHY2010-06-072010-06-07 Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer-4--
SP-CAAAFGS2010-05-102010-05-10 Vulnerability in example PAM authentication script----
SP-CAAAFGD2010-05-032010-05-03 Splunk Critical Maintenance Release and Patch---SPL-31194, SPL-31063, SPL-31067, SPL-31084, SPL-31084, SPL-31085, SPL-31066