Danylo Dmytriiev

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.4, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 **Description** A user with a role containing the `edit cmd` capability can execute arbitrary shell commands. This is possible through the `unarchive cmd` parameter of the `/splunkd/ upload/indexing/preview` REST endpoint. The issue stems from inadequate input sanitization, allowing for remote command execution. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Cloud Platform to version 10.2.2510.5 or later. Remove the `edit cmd` capability from user roles if an immediate update is not possible.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0 Splunk Enterprise versions 10.0.3 and earlier Splunk Enterprise versions 9.4.9 and earlier Splunk Enterprise versions 9.3.9 and earlier Splunk Cloud Platform versions prior to 10.2.2510.4 Splunk Cloud Platform versions 10.1.2507.15 and earlier Splunk Cloud Platform versions 10.0.2503.11 and earlier Splunk Cloud Platform versions 9.3.2411.123 and earlier **Description** A low-privileged user lacking 'admin' or 'power' Splunk roles can create a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/ new` API endpoint. This leads to a Stored Cross-Site Scripting (XSS) issue due to a path traversal vulnerability. Successful exploitation could result in the execution of unauthorized JavaScript code within a user's browser. The attacker must trick the victim into initiating a request within their browser through phishing to exploit this issue. The authenticated user cannot exploit the vulnerability independently. **Recommendations** Splunk Enterprise versions prior to 10.2.0 should be upgraded to version 10.2.0 or later. Splunk Enterprise versions 10.0.3 and earlier should be upgraded to version 10.0.3 or later. Splunk Enterprise versions 9.4.9 and earlier should be upgraded to version 9.4.9 or later. Splunk Enterprise versions 9.3.9 and earlier should be upgraded to version 9.3.9 or later. Splunk Cloud Platform versions prior to 10.2.2510.4 should be upgraded to version 10.2.2510.4 or later. Splunk Cloud Platform versions 10.1.2507.15 and earlier should be upgraded to version 10.1.2507.15 or later. Splunk Cloud Platform versions 10.0.2503.11 and earlier should be upgraded to version 10.0.2503.11 or later. Splunk Cloud Platform versions 9.3.2411.123 and earlier should be upgraded to version 9.3.2411.123 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.4 Splunk Enterprise versions 9.2.8 through 9.3.6 Splunk Cloud Platform versions prior to 9.3.2411.108 Splunk Cloud Platform versions 9.2.2406.123 through 9.3.2408.118 **Description** A user with limited privileges, lacking administrator or power roles, can create a malicious payload through error messages and job inspection details of a saved search. This allows for the execution of unauthorized JavaScript code within a user's browser. The issue involves crafting a malicious payload that exploits the way Splunk handles saved search details and error reporting. **Recommendations** Update Splunk Enterprise to version 9.4.4 or later. Update Splunk Enterprise to version 9.3.6 or later. Update Splunk Enterprise to version 9.2.8 or later. Update Splunk Cloud Platform to version 9.3.2411.108 or later. Update Splunk Cloud Platform to version 9.3.2408.118 or later. Update Splunk Cloud Platform to version 9.2.2406.123 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.4 Splunk Enterprise versions prior to 9.3.6 Splunk Enterprise versions prior to 9.2.8 Splunk Cloud Platform versions prior to 9.3.2411.109 Splunk Cloud Platform versions prior to 9.3.2408.119 Splunk Cloud Platform versions prior to 9.2.2406.122 **Description** A user with limited privileges, lacking 'admin' or 'power' roles within Splunk, can create a malicious payload. This payload is delivered through the `dataset.command` parameter of the `/app/search/table` API endpoint. Successful exploitation allows the execution of unauthorized JavaScript code within a user's web browser. **Recommendations** Update Splunk Enterprise to version 9.4.4 or later. Update Splunk Enterprise to version 9.3.6 or later. Update Splunk Enterprise to version 9.2.8 or later. Update Splunk Cloud Platform to version 9.3.2411.109 or later. Update Splunk Cloud Platform to version 9.3.2408.119 or later. Update Splunk Cloud Platform to version 9.2.2406.122 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.3 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.7 Splunk Enterprise versions prior to 9.1.10 Splunk Cloud Platform versions prior to 9.3.2411.107 Splunk Cloud Platform versions prior to 9.3.2408.117 Splunk Cloud Platform versions prior to 9.2.2406.121 Description: A low-privileged user could craft a malicious payload through the `User Interface - Views` configuration page, potentially leading to a denial of service (DoS) by exploiting a path traversal vulnerability. This allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish an administrator-level victim by tricking them into initiating a request within their browser. Recommendations: For Splunk Enterprise versions prior to 9.4.3, update to version 9.4.3 or later. For Splunk Enterprise versions prior to 9.3.5, update to version 9.3.5 or later. For Splunk Enterprise versions prior to 9.2.7, update to version 9.2.7 or later. For Splunk Enterprise versions prior to 9.1.10, update to version 9.1.10 or later. For Splunk Cloud Platform versions prior to 9.3.2411.107, update to version 9.3.2411.107 or later. For Splunk Cloud Platform versions prior to 9.3.2408.117, update to version 9.3.2408.117 or later. For Splunk Cloud Platform versions prior to 9.2.2406.121, update to version 9.2.2406.121 or later. As a temporary workaround, consider restricting access to the `User Interface - Views` configuration page to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.2 Splunk Enterprise versions prior to 9.2.4 Splunk Enterprise versions prior to 9.1.7 Splunk Secure Gateway app versions prior to 3.4.261 Splunk Secure Gateway app versions prior to 3.7.13 Description: The issue is related to a low-privileged user being able to perform Remote Code Execution (RCE) due to insufficient deserialization mechanisms in the Splunk Secure Gateway app. This can be exploited by uploading a specially crafted JSON file processed by the jsonpickle Python library, allowing an attacker to execute arbitrary code remotely. Over 145,000 results were found using the ZoomEye Dork "app=Splunk Enterprise", indicating a large number of potentially affected devices. Recommendations: For Splunk Enterprise versions prior to 9.3.2, update to version 9.3.2 or later. For Splunk Enterprise versions prior to 9.2.4, update to version 9.2.4 or later. For Splunk Enterprise versions prior to 9.1.7, update to version 9.1.7 or later. For Splunk Secure Gateway app versions prior to 3.4.261, update to version 3.4.261 or later. For Splunk Secure Gateway app versions prior to 3.7.13, update to version 3.7.13 or later. As a temporary workaround, consider disabling the jsonpickle library until a patch is available. Restrict access to the Splunk Secure Gateway app to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.3 and 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.108 and 9.1.2312.205 **Description** A low-privileged user without the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the `api.uri` parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For Splunk Enterprise versions prior to 9.2.3 and 9.1.6, update to version 9.2.3 or 9.1.6 or later. For Splunk Cloud Platform versions prior to 9.2.2403.108 and 9.1.2312.205, update to version 9.2.2403.108 or 9.1.2312.205 or later. As a temporary workaround, consider restricting access to the "/manager/search/apps/local" endpoint in Splunk Web to minimize the risk of exploitation. Avoid using the `api.uri` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.1 Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.107 Splunk Cloud Platform versions prior to 9.1.2312.204 Splunk Cloud Platform versions prior to 9.1.2312.111 Description: A low-privileged user without the "admin" or "power" Splunk roles could craft a search query with an improperly formatted `INGEST EVAL` parameter as part of a Field Transformation, which could crash the Splunk daemon (splunkd), resulting in a denial of service. This issue is related to an uncontrolled resource consumption due to the incorrectly formatted `INGEST EVAL` parameter. Recommendations: For Splunk Enterprise versions prior to 9.3.1, update to version 9.3.1 or later. For Splunk Enterprise versions prior to 9.2.3, update to version 9.2.3 or later. For Splunk Enterprise versions prior to 9.1.6, update to version 9.1.6 or later. For Splunk Cloud Platform versions prior to 9.2.2403.107, update to version 9.2.2403.107 or later. For Splunk Cloud Platform versions prior to 9.1.2312.204, update to version 9.1.2312.204 or later. For Splunk Cloud Platform versions prior to 9.1.2312.111, update to version 9.1.2312.111 or later. As a temporary workaround, consider restricting access to the `INGEST EVAL` parameter in Field Transformations to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403 Description: A low-privileged user without the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views, potentially resulting in the execution of unauthorized JavaScript code in a user's browser. This issue is related to the lack of protection for the web page structure in the Splunk Web interface, which could allow a remote attacker to perform cross-site scripting attacks. Recommendations: For Splunk Enterprise versions prior to 9.2.3, update to version 9.2.3 or later to resolve the issue. For Splunk Enterprise versions prior to 9.1.6, update to version 9.1.6 or later to resolve the issue. For Splunk Cloud Platform versions prior to 9.2.2403, update to version 9.2.2403 or later to resolve the issue. As a temporary workaround, consider restricting access to Scheduled Views for low-privileged users until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Description: The issue is related to a path traversal vulnerability in Splunk Enterprise on Windows, which could allow an attacker to perform a path traversal on the "/modules/messaging/" endpoint. This vulnerability should only affect Splunk Enterprise on Windows. The estimated number of potentially affected devices worldwide is around 257,400 services. The vulnerability can be exploited to read sensitive files, such as the Splunk passwd file. Recommendations: For versions prior to 9.2.2, update to version 9.2.2 or later. For versions prior to 9.1.5, update to version 9.1.5 or later. For versions prior to 9.0.10, update to version 9.0.10 or later. As a temporary workaround, consider restricting access to the "/modules/messaging/" endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.109 Splunk Cloud Platform versions prior to 9.1.2308.207 Description: The issue is related to the external lookup technology in Splunk Enterprise, which can be exploited by an authenticated user to create an external lookup that calls a legacy internal function. This function can be used to insert code into the Splunk platform installation directory, allowing the user to execute arbitrary code on the Splunk platform instance. The vulnerability is associated with the incorrect neutralization of special elements used in the operating system command. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.109, update to version 9.1.2312.109 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later. As a temporary workaround, consider restricting access to the external lookup feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 **Description** The issue allows an authenticated user to execute a specially crafted query, which can then be used to serialize untrusted data, potentially leading to the execution of arbitrary code. This can be exploited by an attacker to gain unauthorized access and control. **Recommendations** For versions prior to 9.2.2, update to version 9.2.2 or later. For versions prior to 9.1.5, update to version 9.1.5 or later. For versions prior to 9.0.10, update to version 9.0.10 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.200 Splunk Cloud Platform versions prior to 9.1.2308.207 Description: The issue is related to the Bulletin Messages module in the Splunk Web interface of the Splunk Enterprise platform, which fails to take measures to protect the web page structure. This could allow a remote attacker to perform cross-site scripting attacks. A low-privileged user without admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages, resulting in the execution of unauthorized JavaScript code in a user's browser. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.200, update to version 9.1.2312.200 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later. As a temporary workaround, consider restricting access to the Bulletin Messages module in the Splunk Web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3 **Description** The issue is related to the incorrect sanitization of path input data, resulting in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This can potentially impact the integrity, availability, and confidentiality of protected information. **Recommendations** For versions below 9.0.8, update to version 9.0.8 or later. For versions below 9.1.3, update to version 9.1.3 or later. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue allows an attacker to perform a denial of service (DoS) against the Splunk Enterprise instance by using the `printf` SPL function. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to a deserialization mechanism flaw in the Splunk Web interface of Splunk Enterprise, allowing an attacker to execute arbitrary code by sending a specially crafted query. This can be used to serialize untrusted data, leading to code execution. Approximately 12,000 vulnerable public instances have been found. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to an absolute path traversal that can be exploited to execute arbitrary code located on a separate disk. It is also associated with incorrect restriction of directory path names in the Splunk Web interface, which can allow an attacker to execute arbitrary code using the runshellscript.py script. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.1.1 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 8.2.12 **Description** The issue is related to a reflected cross-site scripting (XSS) vulnerability in the Splunk Enterprise platform, specifically affecting the "/app/search/table" web endpoint. An attacker can craft a special web request to exploit this vulnerability, potentially leading to the execution of arbitrary commands on the Splunk platform instance. **Recommendations** For versions prior to 9.1.1, update to version 9.1.1 or later to resolve the issue. For versions prior to 9.0.6, update to version 9.0.6 or later to resolve the issue. For versions prior to 8.2.12, update to version 8.2.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/app/search/table" web endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to the Splunk Web interface of the Splunk Enterprise platform for operational analysis. It is associated with the failure to clean up data at the management level due to the use of the outdated `runshellscript` command. Exploitation of this issue may allow a remote attacker to execute arbitrary commands. An attacker can create an external lookup that calls a legacy internal function, allowing them to insert code into the Splunk platform installation directory and execute arbitrary code on the Splunk platform instance. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.0.5 Splunk Enterprise versions prior to 8.2.11 Splunk Enterprise versions prior to 8.1.14 **Description** The issue allows a low-privileged user to exploit a vulnerability in the Bootstrap web framework and build a stored cross-site scripting (XSS) payload through a Splunk dashboard view. **Recommendations** For versions prior to 9.0.5, update to version 9.0.5 or later. For versions prior to 8.2.11, update to version 8.2.11 or later. For versions prior to 8.1.14, update to version 8.1.14 or later.