M Mahdan Argya Syarif

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.4 Splunk Enterprise versions prior to 10.0.7 Splunk Enterprise versions prior to 9.4.12 Splunk Enterprise versions prior to 9.3.13 Splunk Cloud Platform versions prior to 10.3.2512.12 Splunk Cloud Platform versions prior to 10.2.2510.14 Splunk Cloud Platform versions prior to 10.1.2507.22 Splunk Cloud Platform versions prior to 9.3.2411.132 Splunk Secure Gateway versions prior to 3.10.6 Splunk Secure Gateway versions prior to 3.9.20 Splunk Secure Gateway versions prior to 3.8.67 **Description** A low-privileged user without 'admin' or 'power' roles can achieve Remote Code Execution (RCE) through the Splunk Secure Gateway app. This is caused by unsafe deserialization of App Key Value Store (KV Store) data using the `jsonpickle` Python library, which allows the reconstruction of arbitrary Python objects from specially crafted JSON without sufficient validation. **Recommendations** Update Splunk Enterprise to versions 10.2.4, 10.0.7, 9.4.12, or 9.3.13 depending on the current release track. Update Splunk Cloud Platform to versions 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132 depending on the current release track. Update Splunk Secure Gateway to versions 3.10.6, 3.9.20, or 3.8.67 depending on the current release track.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.4 Splunk Enterprise versions prior to 10.0.7 Splunk Enterprise versions prior to 9.4.12 Splunk Enterprise versions prior to 9.3.13 Splunk Cloud Platform versions prior to 10.4.2604.3 Splunk Cloud Platform versions prior to 10.3.2512.12 Splunk Cloud Platform versions prior to 10.2.2510.14 Splunk Cloud Platform versions prior to 10.1.2507.22 Splunk Cloud Platform versions prior to 9.3.2411.132 **Description** A low-privileged user without "admin" or "power" roles can send server-side requests to arbitrary internal destinations using the Dashboard Studio PDF export feature. This occurs because the trusted-domain validation employs a prefix match that can be bypassed using attacker-controlled subdomains. Additionally, the PDF export service automatically follows HTTP redirects without re-validating the redirect targets against the allowlist. **Recommendations** Update to version 10.2.4 or newer. Update to version 10.0.7 or newer. Update to version 9.4.12 or newer. Update to version 9.3.13 or newer. Update to version 10.4.2604.3 or newer. Update to version 10.3.2512.12 or newer. Update to version 10.2.2510.14 or newer. Update to version 10.1.2507.22 or newer. Update to version 9.3.2411.132 or newer.