Anton

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9 Splunk Cloud Platform versions prior to 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122 **Description** A user with limited privileges, lacking the 'admin' or 'power' roles within Splunk, may be able to circumvent security measures designed to protect against potentially harmful SPL commands. This occurs when creating a Data Model that incorporates an injected SPL query within an object. The bypass is achieved through a path traversal flaw. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Enterprise to version 10.0.3 or later. Update Splunk Enterprise to version 9.4.5 or later. Update Splunk Enterprise to version 9.3.7 or later. Update Splunk Enterprise to version 9.2.9 or later. Update Splunk Cloud Platform to version 10.1.2507.0 or later. Update Splunk Cloud Platform to version 10.0.2503.9 or later. Update Splunk Cloud Platform to version 9.3.2411.112 or later. Update Splunk Cloud Platform to version 9.3.2408.122 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.0.2 Splunk Enterprise versions 9.2.10 through 9.4.6 Splunk Enterprise versions 9.3.8 Splunk Secure Gateway app versions below 3.7.28 Splunk Secure Gateway app versions 3.8.58 and below Splunk Secure Gateway app versions 3.9.10 **Description** A user with limited privileges, lacking 'admin' or 'power' roles, who is subscribed to mobile push notifications may receive notifications revealing the title and description of reports or alerts they are not authorized to view. This occurs in Splunk Enterprise and the Splunk Secure Gateway app within the Splunk Cloud Platform. **Recommendations** Update Splunk Enterprise to version 10.0.2 or later. Update Splunk Enterprise to version 9.4.6 or later. Update Splunk Enterprise to version 9.3.8 or later. Update Splunk Enterprise to version 9.2.10 or later. Update Splunk Secure Gateway app to version 3.7.28 or later. Update Splunk Secure Gateway app to version 3.8.58 or later. Update Splunk Secure Gateway app to version 3.9.10 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.0.2, 9.4.6, 9.3.8, and 9.2.10 Splunk Cloud Platform versions prior to 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120 **Description** A user with limited privileges, lacking administrator or power roles, can create a views dashboard with a custom background image using the `data:image/png;base64` protocol. This can lead to an unvalidated redirect, bypassing Splunk’s external URL warning mechanism and potentially redirecting a user to a malicious website. Exploitation requires an attacker to phish a victim into initiating a request within their browser. The authenticated user cannot independently exploit this issue. The vulnerability involves crafting a URL to achieve the redirection. **Recommendations** Update Splunk Enterprise to version 10.0.2 or later. Update Splunk Enterprise to version 9.4.6 or later. Update Splunk Enterprise to version 9.3.8 or later. Update Splunk Enterprise to version 9.2.10 or later. Update Splunk Cloud Platform to version 10.1.2507.10 or later. Update Splunk Cloud Platform to version 10.0.2503.8 or later. Update Splunk Cloud Platform to version 9.3.2411.120 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.0.1 Splunk Enterprise versions 9.2.9 through 9.4.5 Splunk Cloud Platform versions below 9.3.2411.116 Splunk Cloud Platform versions 9.3.2408.124 and below Splunk Cloud Platform versions below 10.0.2503.5 Splunk Cloud Platform versions below 10.1.2507.1 **Description** A user with limited privileges in Splunk Enterprise and Splunk Cloud Platform may be able to execute commands with higher privileges. This occurs because a low-privileged user, lacking administrative or power roles, can bypass safeguards for risky commands within saved searches. The bypass is achieved through character encoding in the REST path of the `/services/streams/search` endpoint, specifically manipulating the `q` parameter. Successful exploitation requires an attacker to phish a victim into initiating a request within their browser. The authenticated user cannot exploit the issue without being tricked into initiating the request. **Recommendations** Update Splunk Enterprise to version 10.0.1 or later. Update Splunk Enterprise to version 9.4.5 or later. Update Splunk Enterprise to version 9.3.7 or later. Update Splunk Enterprise to version 9.2.9 or later. Update Splunk Cloud Platform to version 9.3.2411.116 or later. Update Splunk Cloud Platform to version 9.3.2408.124 or later. Update Splunk Cloud Platform to version 10.0.2503.5 or later. Update Splunk Cloud Platform to version 10.1.2507.1 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.3 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.7 Splunk Enterprise versions prior to 9.1.10 Splunk Cloud Platform versions prior to 9.3.2411.104 Splunk Cloud Platform versions prior to 9.3.2408.114 Splunk Cloud Platform versions prior to 9.2.2406.119 Description: The issue allows an unauthenticated attacker to send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC. The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. Recommendations: For Splunk Enterprise versions prior to 9.4.3, update to version 9.4.3 or later. For Splunk Enterprise versions prior to 9.3.5, update to version 9.3.5 or later. For Splunk Enterprise versions prior to 9.2.7, update to version 9.2.7 or later. For Splunk Enterprise versions prior to 9.1.10, update to version 9.1.10 or later. For Splunk Cloud Platform versions prior to 9.3.2411.104, update to version 9.3.2411.104 or later. For Splunk Cloud Platform versions prior to 9.3.2408.114, update to version 9.3.2408.114 or later. For Splunk Cloud Platform versions prior to 9.2.2406.119, update to version 9.2.2406.119 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.3 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.7 Splunk Enterprise versions prior to 9.1.10 Description: A low-privileged user without the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application due to missing access controls in the saved searches for this app. Recommendations: For versions prior to 9.4.3, update to version 9.4.3 or later. For versions prior to 9.3.5, update to version 9.3.5 or later. For versions prior to 9.2.7, update to version 9.2.7 or later. For versions prior to 9.1.10, update to version 9.1.10 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.3 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.7 Splunk Enterprise versions prior to 9.1.10 Splunk Cloud Platform versions prior to 9.3.2411.104 Splunk Cloud Platform versions prior to 9.3.2408.113 Splunk Cloud Platform versions prior to 9.2.2406.119 Description: An unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS). The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. Recommendations: For Splunk Enterprise versions prior to 9.4.3, update to version 9.4.3 or later. For Splunk Enterprise versions prior to 9.3.5, update to version 9.3.5 or later. For Splunk Enterprise versions prior to 9.2.7, update to version 9.2.7 or later. For Splunk Enterprise versions prior to 9.1.10, update to version 9.1.10 or later. For Splunk Cloud Platform versions prior to 9.3.2411.104, update to version 9.3.2411.104 or later. For Splunk Cloud Platform versions prior to 9.3.2408.113, update to version 9.3.2408.113 or later. For Splunk Cloud Platform versions prior to 9.2.2406.119, update to version 9.2.2406.119 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.2 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.6 Splunk Enterprise versions prior to 9.1.9 Splunk Cloud Platform versions prior to 9.3.2411.103 Splunk Cloud Platform versions prior to 9.3.2408.112 Splunk Cloud Platform versions prior to 9.2.2406.119 Description: A low-privileged user without the "admin" or "power" Splunk roles, but with read-only access to a specific alert, could suppress that alert when it triggers. Recommendations: For Splunk Enterprise versions prior to 9.4.2, update to version 9.4.2 or later. For Splunk Enterprise versions prior to 9.3.5, update to version 9.3.5 or later. For Splunk Enterprise versions prior to 9.2.6, update to version 9.2.6 or later. For Splunk Enterprise versions prior to 9.1.9, update to version 9.1.9 or later. For Splunk Cloud Platform versions prior to 9.3.2411.103, update to version 9.3.2411.103 or later. For Splunk Cloud Platform versions prior to 9.3.2408.112, update to version 9.3.2408.112 or later. For Splunk Cloud Platform versions prior to 9.2.2406.119, update to version 9.2.2406.119 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.107 Splunk Cloud Platform versions prior to 9.2.2406.111 Splunk Cloud Platform versions prior to 9.1.2308.214 **Description** A low-privileged user could bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its `q` parameter, using the permissions of a higher-privileged user. This requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the issue at will. **Recommendations** For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.107, update to version 9.3.2408.107 or later. For Splunk Cloud Platform versions prior to 9.2.2406.111, update to version 9.2.2406.111 or later. For Splunk Cloud Platform versions prior to 9.1.2308.214, update to version 9.1.2308.214 or later. As a temporary workaround, consider restricting access to the "/services/streams/search" endpoint to minimize the risk of exploitation. Avoid using the `q` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.103 Splunk Cloud Platform versions prior to 9.2.2406.108 Splunk Cloud Platform versions prior to 9.2.2403.113 Splunk Cloud Platform versions prior to 9.1.2312.208 Splunk Cloud Platform versions prior to 9.1.2308.212 **Description** A low-privileged user could bypass SPL safeguards for risky commands on the "/app/search/search" endpoint through its `s` parameter, allowing them to run a saved search with a risky command using the permissions of a higher-privileged user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. **Recommendations** For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.103, update to version 9.3.2408.103 or later. For Splunk Cloud Platform versions prior to 9.2.2406.108, update to version 9.2.2406.108 or later. For Splunk Cloud Platform versions prior to 9.2.2403.113, update to version 9.2.2403.113 or later. For Splunk Cloud Platform versions prior to 9.1.2312.208, update to version 9.1.2312.208 or later. For Splunk Cloud Platform versions prior to 9.1.2308.212, update to version 9.1.2308.212 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23 **Description** The issue allows a low-privileged user without the "admin" or "power" Splunk roles to potentially disclose sensitive information by running a search using the permissions of a higher-privileged user. This requires the attacker to trick the victim into initiating a request within their browser, indicating a phishing component. The low-privileged user cannot exploit this issue at will. **Recommendations** For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38, update to version 3.8.38 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23, update to version 3.7.23 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.2.2403.108 Splunk Cloud Platform versions prior to 9.1.2312.204 **Description** A low-privileged user without the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF). **Recommendations** For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.2.2403.108, update to version 9.2.2403.108 or later. For Splunk Cloud Platform versions prior to 9.1.2312.204, update to version 9.1.2312.204 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.2, 9.2.4, and 9.1.7 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.2.462, 3.7.18, and 3.8.5 Description: The issue is related to improper access control in the Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints. This could allow a low-privileged user without the "admin" or "power" Splunk roles to see alert search query responses. The vulnerability may enable a remote attacker to gain unauthorized access to protected information due to insufficient protection of service data resulting from improper access control to the KV Store. Recommendations: For Splunk Enterprise versions prior to 9.3.2, 9.2.4, and 9.1.7, update to version 9.3.2, 9.2.4, or 9.1.7 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.2.462, 3.7.18, and 3.8.5, update to version 3.2.462, 3.7.18, or 3.8.5 or later. As a temporary workaround, consider restricting access to the KV Store collections endpoints until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.3.1 Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.108 Splunk Cloud Platform versions prior to 9.1.2312.204 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability in the Splunk Web component of Splunk Enterprise. This vulnerability can be exploited by a low-privileged user who does not hold the "admin" or "power" Splunk roles, allowing them to change the maintenance mode state of App Key Value Store (KVStore). The exploitation can be done through a specially crafted web page. **Recommendations** For Splunk Enterprise versions prior to 9.3.1, update to version 9.3.1 or later. For Splunk Enterprise versions prior to 9.2.3, update to version 9.2.3 or later. For Splunk Enterprise versions prior to 9.1.6, update to version 9.1.6 or later. For Splunk Cloud Platform versions prior to 9.2.2403.108, update to version 9.2.2403.108 or later. For Splunk Cloud Platform versions prior to 9.1.2312.204, update to version 9.1.2312.204 or later. As a temporary workaround, consider restricting access to the KVStore maintenance mode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.3.1 Splunk Enterprise version 9.2.0 through 9.2.3 Splunk Cloud Platform versions prior to 9.2.2403.103 Splunk Cloud Platform versions 9.1.2312.200 through 9.1.2312.110 Splunk Cloud Platform version 9.1.2308.208 **Description** The issue is related to authorization procedure flaws in Splunk Enterprise, which could allow a low-privileged user without the "admin" or "power" Splunk roles to run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data. **Recommendations** For Splunk Enterprise versions prior to 9.3.1, update to version 9.3.1 or later. For Splunk Enterprise version 9.2.0 through 9.2.3, update to version 9.2.3 or later. For Splunk Cloud Platform versions prior to 9.2.2403.103, update to version 9.2.2403.103 or later. For Splunk Cloud Platform versions 9.1.2312.200 through 9.1.2312.110, update to a version outside of this range or later. For Splunk Cloud Platform version 9.1.2308.208, update to a version later than 9.1.2308.208. As a temporary workaround, consider restricting access to the SplunkDeploymentServerConfig app to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions 9.1.6, 9.2.3, and 9.3.0 Description: A low-privileged user without the "admin" or "power" Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local image path in the `img` tag in the source extensible markup language (XML) code for the Splunk classic dashboard. This issue is related to insufficient access control in the PDF export feature. Recommendations: For version 9.1.6, upgrade to a newer version to mitigate the risk. For version 9.2.3, upgrade to a newer version to mitigate the risk. For version 9.3.0, upgrade to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the PDF export feature in Splunk classic dashboards until a patch is available.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.2.2403.100 Description: The issue is related to the datamodel/web REST endpoint in Splunk Enterprise, where an authenticated, low-privileged user could send a specially crafted HTTP POST request, potentially causing a denial of service. This is due to the execution of a loop with an unavailable exit condition. The exploitation of this issue allows a remote attacker to cause a denial of service using a specially crafted HTTP request. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.2.2403.100, update to version 9.2.2403.100 or later. As a temporary workaround, consider restricting access to the "datamodel/web" REST endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.200 Description: The issue is related to insufficient access control in the Splunk Web Bulletin Messages module of the Splunk Web interface in Splunk Enterprise. This could allow a remote attacker to impact the confidentiality and integrity of protected information by sending specially crafted notifications. A low-privileged user without admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.200, update to version 9.1.2312.200 or later. As a temporary workaround, consider restricting access to the Splunk Web Bulletin Messages module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.200 Splunk Cloud Platform versions prior to 9.1.2308.207 **Description** A low-privileged user without admin or power Splunk roles can craft a malicious payload through Splunk Web Bulletin Messages, potentially resulting in the execution of unauthorized JavaScript code in a user's browser. **Recommendations** For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.200, update to version 9.1.2312.200 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.200 Splunk Cloud Platform versions prior to 9.1.2308.207 Description: A low-privileged user without admin or power Splunk roles could craft a malicious payload through a View, potentially resulting in the execution of unauthorized JavaScript code in a user's browser. The issue arises from the `url` parameter of the Dashboard element lacking proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.200, update to version 9.1.2312.200 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later. As a temporary workaround, consider restricting access to the Dashboard element's `url` parameter to minimize the risk of exploitation.