PT-2026-42213 · Splunk · Splunk Enterprise+1
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Splunk Enterprise versions prior to 10.2.2
Splunk Enterprise versions prior to 10.0.5
Splunk Enterprise versions prior to 9.4.11
Splunk Enterprise versions prior to 9.3.12
Splunk Cloud Platform versions prior to 10.4.2603.1
Splunk Cloud Platform versions prior to 10.3.2512.9
Splunk Cloud Platform versions prior to 10.2.2510.11
Splunk Cloud Platform versions prior to 10.1.2507.21
Splunk Cloud Platform versions prior to 10.0.2503.13
Splunk Cloud Platform versions prior to 9.3.2411.129
Description
A low-privileged user without 'admin' or 'power' roles can cause a Denial of Service by exploiting the
coldToFrozen.sh script within the splunk archiver app. The issue stems from missing input validation in the coldToFrozen.sh script, which allows the acceptance of arbitrary file paths and the renaming of critical directories, rendering the instance non-functional.Recommendations
Update Splunk Enterprise to version 10.2.2, 10.0.5, 9.4.11, or 9.3.12 depending on the current release track.
Update Splunk Cloud Platform to version 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, or 9.3.2411.129 depending on the current release track.
As a temporary workaround, restrict access to the
coldToFrozen.sh script in the splunk archiver app.Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Splunk Cloud Platform
Splunk Enterprise