CVE-2024-53244

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.3.2 Splunk Enterprise versions prior to 9.2.4 Splunk Enterprise versions prior to 9.1.7 Splunk Cloud Platform versions prior to 9.2.2406.107 Splunk Cloud Platform versions prior to 9.2.2403.109 Splunk Cloud Platform versions prior to 9.1.2312.206

Description A low-privileged user without the "admin" or "power" Splunk roles could bypass SPL safeguards for risky commands on the "/en-US/app/search/report" endpoint through the s parameter. This could allow the user to run a saved search with a risky command using the permissions of a higher-privileged user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

Recommendations For Splunk Enterprise versions prior to 9.3.2, update to version 9.3.2 or later. For Splunk Enterprise versions prior to 9.2.4, update to version 9.2.4 or later. For Splunk Enterprise versions prior to 9.1.7, update to version 9.1.7 or later. For Splunk Cloud Platform versions prior to 9.2.2406.107, update to version 9.2.2406.107 or later. For Splunk Cloud Platform versions prior to 9.2.2403.109, update to version 9.2.2403.109 or later. For Splunk Cloud Platform versions prior to 9.1.2312.206, update to version 9.1.2312.206 or later. As a temporary workaround, consider restricting access to the "/en-US/app/search/report" endpoint to minimize the risk of exploitation.