James Ervin

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.4, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 **Description** A user with a role containing the `edit cmd` capability can execute arbitrary shell commands. This is possible through the `unarchive cmd` parameter of the `/splunkd/ upload/indexing/preview` REST endpoint. The issue stems from inadequate input sanitization, allowing for remote command execution. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Cloud Platform to version 10.2.2510.5 or later. Remove the `edit cmd` capability from user roles if an immediate update is not possible.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.13 Splunk Enterprise versions prior to 8.2.10 **Description** The issue concerns the 'createrss' external search command, which overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default. **Recommendations** For versions prior to 8.1.13, update to version 8.1.13 or later. For versions prior to 8.2.10, update to version 8.2.10 or later. As a temporary workaround, consider disabling the `createrss` external search command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.13 Splunk Enterprise versions prior to 8.2.10 Splunk Enterprise versions prior to 9.0.4 **Description** The issue allows any authenticated user to send an email as the Splunk instance through the "sendemail" REST API endpoint. This endpoint is now restricted to the `splunk-system-user` account on the local instance. **Recommendations** For versions prior to 8.1.13, update to version 8.1.13 or later to restrict the "sendemail" REST API endpoint to the `splunk-system-user` account. For versions prior to 8.2.10, update to version 8.2.10 or later to restrict the "sendemail" REST API endpoint to the `splunk-system-user` account. For versions prior to 9.0.4, update to version 9.0.4 or later to restrict the "sendemail" REST API endpoint to the `splunk-system-user` account.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.13 Splunk Enterprise versions prior to 8.2.10 Splunk Enterprise versions prior to 9.0.4 **Description** The issue concerns aliases of the `collect` search processing language (SPL) command, including `summaryindex`, `sumindex`, `stash`, `mcollect`, and `meventcollect`, which were not designated as safeguarded commands. This could potentially allow for the exposing of data to a summary index that unprivileged users could access. The issue requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. **Recommendations** For versions prior to 8.1.13, update to version 8.1.13 or later. For versions prior to 8.2.10, update to version 8.2.10 or later. For versions prior to 9.0.4, update to version 9.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.13 Splunk Enterprise versions prior to 8.2.10 Splunk Enterprise versions prior to 9.0.4 **Description** An improperly-formatted `INGEST EVAL` parameter in a Field Transformation can cause the Splunk daemon (splunkd) to crash. **Recommendations** For versions prior to 8.1.13, update to version 8.1.13 or later to resolve the issue. For versions prior to 8.2.10, update to version 8.2.10 or later to resolve the issue. For versions prior to 9.0.4, update to version 9.0.4 or later to resolve the issue.