Ddv_Ua

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.4, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 **Description** A user with a role containing the `edit cmd` capability can execute arbitrary shell commands. This is possible through the `unarchive cmd` parameter of the `/splunkd/ upload/indexing/preview` REST endpoint. The issue stems from inadequate input sanitization, allowing for remote command execution. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Cloud Platform to version 10.2.2510.5 or later. Remove the `edit cmd` capability from user roles if an immediate update is not possible.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.2 Splunk Enterprise versions prior to 9.2.4 Splunk Enterprise versions prior to 9.1.7 Splunk Secure Gateway app versions prior to 3.4.261 Splunk Secure Gateway app versions prior to 3.7.13 Description: The issue is related to a low-privileged user being able to perform Remote Code Execution (RCE) due to insufficient deserialization mechanisms in the Splunk Secure Gateway app. This can be exploited by uploading a specially crafted JSON file processed by the jsonpickle Python library, allowing an attacker to execute arbitrary code remotely. Over 145,000 results were found using the ZoomEye Dork "app=Splunk Enterprise", indicating a large number of potentially affected devices. Recommendations: For Splunk Enterprise versions prior to 9.3.2, update to version 9.3.2 or later. For Splunk Enterprise versions prior to 9.2.4, update to version 9.2.4 or later. For Splunk Enterprise versions prior to 9.1.7, update to version 9.1.7 or later. For Splunk Secure Gateway app versions prior to 3.4.261, update to version 3.4.261 or later. For Splunk Secure Gateway app versions prior to 3.7.13, update to version 3.7.13 or later. As a temporary workaround, consider disabling the jsonpickle library until a patch is available. Restrict access to the Splunk Secure Gateway app to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.3 and 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.108 and 9.1.2312.205 **Description** A low-privileged user without the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the `api.uri` parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For Splunk Enterprise versions prior to 9.2.3 and 9.1.6, update to version 9.2.3 or 9.1.6 or later. For Splunk Cloud Platform versions prior to 9.2.2403.108 and 9.1.2312.205, update to version 9.2.2403.108 or 9.1.2312.205 or later. As a temporary workaround, consider restricting access to the "/manager/search/apps/local" endpoint in Splunk Web to minimize the risk of exploitation. Avoid using the `api.uri` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.1 Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.107 Splunk Cloud Platform versions prior to 9.1.2312.204 Splunk Cloud Platform versions prior to 9.1.2312.111 Description: A low-privileged user without the "admin" or "power" Splunk roles could craft a search query with an improperly formatted `INGEST EVAL` parameter as part of a Field Transformation, which could crash the Splunk daemon (splunkd), resulting in a denial of service. This issue is related to an uncontrolled resource consumption due to the incorrectly formatted `INGEST EVAL` parameter. Recommendations: For Splunk Enterprise versions prior to 9.3.1, update to version 9.3.1 or later. For Splunk Enterprise versions prior to 9.2.3, update to version 9.2.3 or later. For Splunk Enterprise versions prior to 9.1.6, update to version 9.1.6 or later. For Splunk Cloud Platform versions prior to 9.2.2403.107, update to version 9.2.2403.107 or later. For Splunk Cloud Platform versions prior to 9.1.2312.204, update to version 9.1.2312.204 or later. For Splunk Cloud Platform versions prior to 9.1.2312.111, update to version 9.1.2312.111 or later. As a temporary workaround, consider restricting access to the `INGEST EVAL` parameter in Field Transformations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 **Description** The issue allows an authenticated user to execute a specially crafted query, which can then be used to serialize untrusted data, potentially leading to the execution of arbitrary code. This can be exploited by an attacker to gain unauthorized access and control. **Recommendations** For versions prior to 9.2.2, update to version 9.2.2 or later. For versions prior to 9.1.5, update to version 9.1.5 or later. For versions prior to 9.0.10, update to version 9.0.10 or later.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.109 Splunk Cloud Platform versions prior to 9.1.2308.207 Description: The issue is related to the external lookup technology in Splunk Enterprise, which can be exploited by an authenticated user to create an external lookup that calls a legacy internal function. This function can be used to insert code into the Splunk platform installation directory, allowing the user to execute arbitrary code on the Splunk platform instance. The vulnerability is associated with the incorrect neutralization of special elements used in the operating system command. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.109, update to version 9.1.2312.109 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later. As a temporary workaround, consider restricting access to the external lookup feature until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Description: The issue is related to a path traversal vulnerability in Splunk Enterprise on Windows, which could allow an attacker to perform a path traversal on the "/modules/messaging/" endpoint. This vulnerability should only affect Splunk Enterprise on Windows. The estimated number of potentially affected devices worldwide is around 257,400 services. The vulnerability can be exploited to read sensitive files, such as the Splunk passwd file. Recommendations: For versions prior to 9.2.2, update to version 9.2.2 or later. For versions prior to 9.1.5, update to version 9.1.5 or later. For versions prior to 9.0.10, update to version 9.0.10 or later. As a temporary workaround, consider restricting access to the "/modules/messaging/" endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.2 Splunk Enterprise versions prior to 9.1.5 Splunk Enterprise versions prior to 9.0.10 Splunk Cloud Platform versions prior to 9.1.2312.200 Splunk Cloud Platform versions prior to 9.1.2308.207 Description: The issue is related to the Bulletin Messages module in the Splunk Web interface of the Splunk Enterprise platform, which fails to take measures to protect the web page structure. This could allow a remote attacker to perform cross-site scripting attacks. A low-privileged user without admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages, resulting in the execution of unauthorized JavaScript code in a user's browser. Recommendations: For Splunk Enterprise versions prior to 9.2.2, update to version 9.2.2 or later. For Splunk Enterprise versions prior to 9.1.5, update to version 9.1.5 or later. For Splunk Enterprise versions prior to 9.0.10, update to version 9.0.10 or later. For Splunk Cloud Platform versions prior to 9.1.2312.200, update to version 9.1.2312.200 or later. For Splunk Cloud Platform versions prior to 9.1.2308.207, update to version 9.1.2308.207 or later. As a temporary workaround, consider restricting access to the Bulletin Messages module in the Splunk Web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3 **Description** The issue is related to the incorrect sanitization of path input data, resulting in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This can potentially impact the integrity, availability, and confidentiality of protected information. **Recommendations** For versions below 9.0.8, update to version 9.0.8 or later. For versions below 9.1.3, update to version 9.1.3 or later. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Confluence Data Center and Server versions 7.13.0 through 7.19.17 Confluence Data Center and Server versions 8.5.0 through 8.5.4 Confluence Data Center and Server versions 8.7.0 through 8.7.1 **Description** This is a High severity Remote Code Execution (RCE) vulnerability that allows an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with high impact to confidentiality and no impact to integrity or availability. The vulnerability is related to insufficient input validation. **Recommendations** For Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release For Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release For Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release

**Name of the Vulnerable Software and Affected Versions** Confluence Data Center and Server versions 2.1.0 through 7.19.17 Confluence Data Center and Server versions 8.5.0 through 8.5.4 Confluence Data Center and Server versions 8.7.0 through 8.7.1 **Description** This issue is a Remote Code Execution (RCE) vulnerability that allows an unauthenticated attacker to remotely expose assets in the environment, susceptible to exploitation. It has a high impact on confidentiality, integrity, and availability and requires user interaction. The vulnerability is related to insufficient input validation. **Recommendations** For Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release For Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release For Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue allows an attacker to perform a denial of service (DoS) against the Splunk Enterprise instance by using the `printf` SPL function. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.1.1 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 8.2.12 **Description** The issue is related to a reflected cross-site scripting (XSS) vulnerability in the Splunk Enterprise platform, specifically affecting the "/app/search/table" web endpoint. An attacker can craft a special web request to exploit this vulnerability, potentially leading to the execution of arbitrary commands on the Splunk platform instance. **Recommendations** For versions prior to 9.1.1, update to version 9.1.1 or later to resolve the issue. For versions prior to 9.0.6, update to version 9.0.6 or later to resolve the issue. For versions prior to 8.2.12, update to version 8.2.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/app/search/table" web endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to an absolute path traversal that can be exploited to execute arbitrary code located on a separate disk. It is also associated with incorrect restriction of directory path names in the Splunk Web interface, which can allow an attacker to execute arbitrary code using the runshellscript.py script. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to the Splunk Web interface of the Splunk Enterprise platform for operational analysis. It is associated with the failure to clean up data at the management level due to the use of the outdated `runshellscript` command. Exploitation of this issue may allow a remote attacker to execute arbitrary commands. An attacker can create an external lookup that calls a legacy internal function, allowing them to insert code into the Splunk platform installation directory and execute arbitrary code on the Splunk platform instance. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.2.12 Splunk Enterprise versions prior to 9.0.6 Splunk Enterprise versions prior to 9.1.1 **Description** The issue is related to a deserialization mechanism flaw in the Splunk Web interface of Splunk Enterprise, allowing an attacker to execute arbitrary code by sending a specially crafted query. This can be used to serialize untrusted data, leading to code execution. Approximately 12,000 vulnerable public instances have been found. **Recommendations** For versions prior to 8.2.12, update to version 8.2.12 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.0.5 Splunk Enterprise versions prior to 8.2.11 Splunk Enterprise versions prior to 8.1.14 **Description** The issue allows a low-privileged user to exploit a vulnerability in the Bootstrap web framework and build a stored cross-site scripting (XSS) payload through a Splunk dashboard view. **Recommendations** For versions prior to 9.0.5, update to version 9.0.5 or later. For versions prior to 8.2.11, update to version 8.2.11 or later. For versions prior to 8.1.14, update to version 8.1.14 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.0.5 Splunk Enterprise versions prior to 8.2.11 Splunk Enterprise versions prior to 8.1.14 Splunk Cloud Platform versions prior to 9.0.2303.100 **Description** A low-privileged user can trigger an HTTP response splitting issue with the `rest` SPL command, potentially allowing them to access other REST endpoints in the system arbitrarily. **Recommendations** For Splunk Enterprise versions prior to 9.0.5, update to version 9.0.5 or later. For Splunk Enterprise versions prior to 8.2.11, update to version 8.2.11 or later. For Splunk Enterprise versions prior to 8.1.14, update to version 8.1.14 or later. For Splunk Cloud Platform versions prior to 9.0.2303.100, update to version 9.0.2303.100 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.0.5 Splunk Enterprise versions prior to 8.2.11 Splunk Enterprise versions prior to 8.1.14 Splunk Cloud Platform versions prior to 9.0.2303.100 **Description** The issue is related to insufficient exception handling in the Splunk Enterprise platform for operational analysis. Exploitation of this issue can allow a remote attacker to cause a denial of service using the `dump` SPL command. This can lead to the Splunk daemon crashing. **Recommendations** For Splunk Enterprise versions prior to 9.0.5, update to version 9.0.5 or later. For Splunk Enterprise versions prior to 8.2.11, update to version 8.2.11 or later. For Splunk Enterprise versions prior to 8.1.14, update to version 8.1.14 or later. For Splunk Cloud Platform versions prior to 9.0.2303.100, update to version 9.0.2303.100 or later. As a temporary workaround, consider restricting access to the `dump` SPL command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.13 Splunk Enterprise versions prior to 8.2.10 Splunk Enterprise versions prior to 9.0.4 **Description** The issue allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the `layoutPanel` attribute in the `module` tag. This affects instances with Splunk Web enabled. **Recommendations** For versions prior to 8.1.13, update to version 8.1.13 or later. For versions prior to 8.2.10, update to version 8.2.10 or later. For versions prior to 9.0.4, update to version 9.0.4 or later.