CVE-2024-53247

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.2 Splunk Enterprise versions prior to 9.2.4 Splunk Enterprise versions prior to 9.1.7 Splunk Secure Gateway app versions prior to 3.4.261 Splunk Secure Gateway app versions prior to 3.7.13

Description: The issue is related to a low-privileged user being able to perform Remote Code Execution (RCE) due to insufficient deserialization mechanisms in the Splunk Secure Gateway app. This can be exploited by uploading a specially crafted JSON file processed by the jsonpickle Python library, allowing an attacker to execute arbitrary code remotely. Over 145,000 results were found using the ZoomEye Dork "app=Splunk Enterprise", indicating a large number of potentially affected devices.

Recommendations: For Splunk Enterprise versions prior to 9.3.2, update to version 9.3.2 or later. For Splunk Enterprise versions prior to 9.2.4, update to version 9.2.4 or later. For Splunk Enterprise versions prior to 9.1.7, update to version 9.1.7 or later. For Splunk Secure Gateway app versions prior to 3.4.261, update to version 3.4.261 or later. For Splunk Secure Gateway app versions prior to 3.7.13, update to version 3.7.13 or later. As a temporary workaround, consider disabling the jsonpickle library until a patch is available. Restrict access to the Splunk Secure Gateway app to minimize the risk of exploitation.