Alex Hordijk

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.4 Splunk Enterprise versions prior to 10.0.7 Splunk Cloud Platform versions prior to 10.4.2604.3 Splunk Cloud Platform versions prior to 10.2.2510.14 **Description** An unauthenticated user can create or truncate arbitrary files on a system through a PostgreSQL sidecar service endpoint that lacks authentication controls. This flaw allows network-reachable attackers to invoke file operations without credentials, which can lead to data destruction, service disruption, privilege escalation, or remote code execution (RCE) by overwriting sensitive files or configurations. The issue is particularly prevalent in AWS deployments where the sidecar is enabled by default. Technical details include the use of endpoints such as '/v1/postgres/recovery/backup', '/v1/postgres/recovery/restore', and '/en-US/splunkd/ raw/v1/postgres/recovery/backup'. Attackers can use connection string injection via the `hostaddr` parameter to force an external database connection. By utilizing the `lo export()` function during a malicious SQL restore, attackers can write controlled content to critical files, such as the `.pgpass` file or Python scripts like `ssg enable modular input.py()`, to achieve full code execution with Splunk-level privileges. **Recommendations** For Splunk Enterprise versions prior to 10.2.4, update to version 10.2.4 or later. For Splunk Enterprise versions prior to 10.0.7, update to version 10.0.7 or later. For Splunk Cloud Platform versions prior to 10.4.2604.3, update to version 10.4.2604.3 or later. For Splunk Cloud Platform versions prior to 10.2.2510.14, update to version 10.2.2510.14 or later. As a temporary workaround, disable the PostgreSQL sidecar service. Restrict network access to Splunk instances using firewall rules to avoid exposing management ports publicly.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.2 Splunk Enterprise versions prior to 10.0.5 Splunk Enterprise versions prior to 9.4.11 Splunk Enterprise versions prior to 9.3.12 Splunk Cloud Platform versions prior to 10.4.2603.1 Splunk Cloud Platform versions prior to 10.3.2512.9 Splunk Cloud Platform versions prior to 10.2.2510.11 Splunk Cloud Platform versions prior to 10.1.2507.21 Splunk Cloud Platform versions prior to 10.0.2503.13 Splunk Cloud Platform versions prior to 9.3.2411.129 **Description** A low-privileged user without 'admin' or 'power' roles can cause a Denial of Service by exploiting the `coldToFrozen.sh` script within the `splunk archiver` app. The issue stems from missing input validation in the `coldToFrozen.sh` script, which allows the acceptance of arbitrary file paths and the renaming of critical directories, rendering the instance non-functional. **Recommendations** Update Splunk Enterprise to version 10.2.2, 10.0.5, 9.4.11, or 9.3.12 depending on the current release track. Update Splunk Cloud Platform to version 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, or 9.3.2411.129 depending on the current release track. As a temporary workaround, restrict access to the `coldToFrozen.sh` script in the `splunk archiver` app.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123 **Description** A user with limited privileges, lacking the 'admin' or 'power' Splunk roles, can access the `/splunkd/ raw/servicesNS/-/-/configs/conf-passwords` API endpoint. This endpoint exposes hashed or plaintext password values stored in the `passwords.conf` configuration file due to insufficient access controls. This could lead to the unauthorized disclosure of sensitive credentials. **Recommendations** Splunk Enterprise versions prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.10 should be updated. Splunk Cloud Platform versions prior to 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123 should be updated.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.0.1 Splunk Enterprise versions 9.2.8 through 9.4.4 Splunk Cloud Platform versions prior to 9.3.2411.109 Splunk Cloud Platform versions 9.2.2406.122 through 9.3.2408.119 **Description** An unauthenticated attacker could trigger a blind server-side request forgery (SSRF). This could allow an attacker to perform REST API calls on behalf of an authenticated, high-privileged user. Server-side request forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. **Recommendations** Update Splunk Enterprise to version 10.0.1 or later. Update Splunk Enterprise to a version after 9.4.4. Update Splunk Cloud Platform to version 9.3.2411.109 or later. Update Splunk Cloud Platform to a version after 9.3.2408.119 and 9.2.2406.122.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.104 Splunk Cloud Platform versions prior to 9.2.2406.108 Splunk Cloud Platform versions prior to 9.2.2403.114 Splunk Cloud Platform versions prior to 9.1.2312.208 **Description** A low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK HOME/var/run/splunk/apptemp" directory due to missing authorization checks. This issue allows attackers to execute arbitrary code by uploading malicious files. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.104, update to version 9.3.2408.104 or later. For Splunk Cloud Platform versions prior to 9.2.2406.108, update to version 9.2.2406.108 or later. For Splunk Cloud Platform versions prior to 9.2.2403.114, update to version 9.2.2403.114 or later. For Splunk Cloud Platform versions prior to 9.1.2312.208, update to version 9.1.2312.208 or later. As a temporary workaround, consider restricting access to the "$SPLUNK HOME/var/run/splunk/apptemp" directory until a patch is available.

Name of the Vulnerable Software and Affected Versions: PAN-OS (affected versions not specified) Description: A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker-controlled server. This attack requires network access to the firewall management interface. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise for Windows versions prior to 9.3.1 Splunk Enterprise for Windows versions prior to 9.2.3 Splunk Enterprise for Windows versions prior to 9.1.6 Description: The issue is related to incorrect restriction of the directory path name with limited access. A low-privileged user that does not hold the "admin" or "power" Splunk roles could write a file to the Windows system root directory, which has a default location in the Windows System32 folder, when Splunk Enterprise for Windows is installed on a separate drive. This could potentially lead to arbitrary file writing and remote code execution. Recommendations: For versions prior to 9.3.1, update to version 9.3.1 or later. For versions prior to 9.2.3, update to version 9.2.3 or later. For versions prior to 9.1.6, update to version 9.1.6 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 **Description** The issue is related to insecure session storage configuration in Splunk Enterprise for Windows, allowing a low-privileged user without the "admin" or "power" Splunk roles to perform Remote Code Execution (RCE). This is due to deficiencies in the deserialization mechanism of the Splunk Web component. **Recommendations** For versions prior to 9.2.3, update to version 9.2.3 or later. For versions prior to 9.1.6, update to version 9.1.6 or later. As a temporary workaround, consider restricting access to the session storage configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 **Description** A low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the `splunk archiver` application. This issue allows for remote code execution, potentially leading to significant security breaches. **Recommendations** For versions prior to 9.2.2, update to version 9.2.2 or later. For versions prior to 9.1.5, update to version 9.1.5 or later. For versions prior to 9.0.10, update to version 9.0.10 or later. As a temporary workaround, consider restricting access to the `splunk archiver` application until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions below 9.0.7 and 9.1.2 **Description** The issue is related to the improper sanitization of extensible stylesheet language transformations (XSLT) supplied by users in Splunk Enterprise. This allows an attacker to upload malicious XSLT, potentially resulting in remote code execution on the Splunk Enterprise instance. There are over 120,000 publicly exposed Splunk instances, making them vulnerable to this issue. **Recommendations** For Splunk Enterprise versions below 9.0.7, update to version 9.0.7 or later. For Splunk Enterprise versions below 9.1.2, update to version 9.1.2 or later. As a temporary workaround, consider restricting access to the XSLT functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS (affected versions not specified) **Description** A file disclosure issue in the software enables an authenticated read-write administrator with access to the web interface to export local files from the firewall through a race condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GenieACS versions 1.2.x through 1.2.7 **Description** The issue arises from insufficient input validation combined with a missing authorization check in the UI interface API, allowing unauthenticated OS command injection via the `ping host` argument. This is due to vulnerabilities in the `lib/ui/api.ts` and `lib/ping.ts` files. **Recommendations** For GenieACS versions 1.2.x through 1.2.7, update to version 1.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `lib/ui/api.ts` and `lib/ping.ts` files to minimize the risk of exploitation. Avoid using the `ping host` argument in the UI interface API until the issue is resolved.