Gabriel Nitu

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0, 10.0.4, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 **Description** A user with a role containing the `edit cmd` capability can execute arbitrary shell commands. This is possible through the `unarchive cmd` parameter of the `/splunkd/ upload/indexing/preview` REST endpoint. The issue stems from inadequate input sanitization, allowing for remote command execution. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Cloud Platform to version 10.2.2510.5 or later. Remove the `edit cmd` capability from user roles if an immediate update is not possible.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23 **Description** A low-privileged user without the `admin` or `power` Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections created by the Splunk Secure Gateway app. This issue is due to missing access control and incorrect ownership of the data in those KVStore collections, where the `nobody` user owned the data. **Recommendations** For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38, update to version 3.8.38 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23, update to version 3.7.23 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk App for SOAR versions 1.0.67 and lower **Description** The issue is related to improper access control. In the affected versions of the Splunk App for SOAR, the documentation recommended adding the `admin all objects` capability to the `splunk app soar` role. This could lead to improper access control for a low-privileged user that does not hold the "admin" Splunk roles. **Recommendations** For versions 1.0.67 and lower, remove the `admin all objects` capability from the `splunk app soar` role to prevent improper access control. As a temporary workaround, consider restricting the `splunk app soar` role to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.4.259 Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.6.17 Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.7.0 **Description** The issue is related to insufficient access control to the Key Value Store (KV Store) in the Splunk Secure Gateway component of the Splunk Enterprise platform for operational analysis. This can allow a low-privileged user without the "admin" or "power" Splunk roles to view App Key Value Store deployment configuration and public/private keys in the Splunk Secure Gateway App. An attacker could exploit this to remotely delete data from the KV Store. **Recommendations** For Splunk Enterprise versions prior to 9.2.3, update to version 9.2.3 or later. For Splunk Enterprise versions prior to 9.1.6, update to version 9.1.6 or later. For Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.4.259, update to version 3.4.259 or later. For Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.6.17, update to version 3.6.17 or later. For Splunk Secure Gateway versions on Splunk Cloud Platform versions prior to 3.7.0, update to version 3.7.0 or later. As a temporary workaround, consider restricting access to the KV Store to minimize the risk of exploitation.