Splunk Cloud Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Splunk Cloud Platform.
By the Year
In 2025 there have been 0 vulnerabilities in Splunk Cloud Platform. Last year, in 2024 Splunk Cloud Platform had 12 security vulnerabilities published. Right now, Splunk Cloud Platform is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 12 | 5.26 |
2023 | 24 | 6.76 |
2022 | 18 | 7.11 |
2021 | 0 | 0.00 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Splunk Cloud Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Splunk Cloud Platform Security Vulnerabilities
In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user
CVE-2024-45732
6.5 - Medium
- October 14, 2024
In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.
AuthZ
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user
CVE-2024-45740
5.4 - Medium
- October 14, 2024
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user.
XSS
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user
CVE-2024-45741
5.4 - Medium
- October 14, 2024
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the "api.uri" parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user.
XSS
In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user
CVE-2024-45735
4.3 - Medium
- October 14, 2024
In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the "admin" or "power" Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App.
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user
CVE-2024-45736
6.5 - Medium
- October 14, 2024
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a search query with an improperly formatted "INGEST_EVAL" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd).
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user
CVE-2024-45737
3.5 - Low
- October 14, 2024
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).
Session Riding
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user
CVE-2024-36990
6.5 - Medium
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.
Infinite Loop
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user
CVE-2024-36992
5.4 - Medium
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The url parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.
XSS
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user
CVE-2024-36993
5.4 - Medium
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.
XSS
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user
CVE-2024-36994
5.4 - Medium
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.
XSS
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user
CVE-2024-36995
3.5 - Low
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could create experimental items.
AuthZ
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response
CVE-2024-36996
5.3 - Medium
- July 01, 2024
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.
Side Channel Attack
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup
CVE-2023-40598
8.8 - High
- August 30, 2023
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.
Missing Authentication for Critical Function
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code
CVE-2023-40597
8.8 - High
- August 30, 2023
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
Directory traversal
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query
CVE-2023-40595
8.8 - High
- August 30, 2023
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.
Marshaling, Unmarshaling
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker
CVE-2023-40594
7.5 - High
- August 30, 2023
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the `printf` SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance.
In Splunk Enterprise versions lower than 9.0.6 and 8.2.12, a malicious actor can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint
CVE-2023-40593
7.5 - High
- August 30, 2023
In Splunk Enterprise versions lower than 9.0.6 and 8.2.12, a malicious actor can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request
CVE-2023-40592
6.1 - Medium
- August 30, 2023
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the /app/search/table web endpoint. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.
XSS
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker
CVE-2023-32706
6.5 - Medium
- June 01, 2023
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.
XXE
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role
CVE-2023-32707
8.8 - High
- June 01, 2023
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the rest SPL command
CVE-2023-32708
8.8 - High
- June 01, 2023
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily.
Interpretation Conflict
In Splunk Enterprise versions below 9.0.5, 8.2.11
CVE-2023-32709
4.3 - Medium
- June 01, 2023
In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint.
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the copyresults command if they know the search ID (SID) of a search job
CVE-2023-32710
5.3 - Medium
- June 01, 2023
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the copyresults command if they know the search ID (SID) of a search job that has recently run.
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, an attacker
CVE-2023-32716
6.5 - Medium
- June 01, 2023
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, an attacker can exploit a vulnerability in the {{dump}} SPL command to cause a denial of service by crashing the Splunk daemon.
Improper Check for Unusual or Exceptional Conditions
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user
CVE-2023-32717
4.3 - Medium
- June 01, 2023
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.
In Splunk Enterprise versions below 8.1.13 and 8.2.10
CVE-2023-22931
4.3 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the createrss external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
Incorrect Default Permissions
In Splunk Enterprise versions below 8.1.13
CVE-2023-22937
4.3 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl.
Unrestricted File Upload
In Splunk Enterprise 9.0 versions before 9.0.4, a View
CVE-2023-22932
6.1 - Medium
- February 14, 2023
In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0.
XSS
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View
CVE-2023-22933
6.1 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the layoutPanel attribute in the module tag.
XSS
In Splunk Enterprise versions below 8.1.13
CVE-2023-22934
8 - High
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the pivot search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.
In Splunk Enterprise versions below 8.1.13
CVE-2023-22935
8.8 - High
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the display.page.search.patterns.sensitivity search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.
Command Injection
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the search_listener parameter in a search
CVE-2023-22936
6.3 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the search_listener parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment.
SSRF
In Splunk Enterprise versions below 8.1.13
CVE-2023-22938
4.3 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the sendemail REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the splunk-system-user account on the local instance.
In Splunk Enterprise versions below 8.1.13
CVE-2023-22939
8.8 - High
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.
In Splunk Enterprise versions below 8.1.13
CVE-2023-22940
5.7 - Medium
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the collect search processing language (SPL) command, including summaryindex, sumindex, stash, mcollect, and meventcollect, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.
In Splunk Enterprise versions below 8.1.13
CVE-2023-22941
7.5 - High
- February 14, 2023
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted INGEST_EVAL parameter in a Field Transformation crashes the Splunk daemon (splunkd).
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection
CVE-2022-43570
6.5 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.
XXE
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View
CVE-2022-43568
6.1 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio.
XSS
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user
CVE-2022-43566
8 - High
- November 04, 2022
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged users permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
Improper Input Validation
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way
CVE-2022-43565
8.8 - High
- November 04, 2022
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who
CVE-2022-43564
6.5 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.
Resource Exhaustion
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way
CVE-2022-43563
8.8 - High
- November 04, 2022
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
In Splunk Enterprise versions below 8.2.9
CVE-2022-43572
6.5 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.
Code Injection
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can inject and store arbitrary scripts
CVE-2022-43569
5.4 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name of a Data Model.
XSS
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user
CVE-2022-43567
8.8 - High
- November 04, 2022
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.
Marshaling, Unmarshaling
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header
CVE-2022-43562
5.4 - Medium
- November 04, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.
Injection
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user
CVE-2022-43571
8.8 - High
- November 03, 2022
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
Code Injection
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user
CVE-2022-43561
4.8 - Medium
- November 03, 2022
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the power Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled.
XSS
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard
CVE-2022-37438
3.5 - Low
- August 16, 2022
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.
In universal forwarder versions before 9.0, management services are available remotely by default
CVE-2022-32155
7.5 - High
- June 15, 2022
In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. See Configure universal forwarder management security (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) for more information on disabling the remote management services.
Incorrect Permission Assignment for Critical Resource
The httplib and urllib Python libraries
CVE-2022-32151
9.1 - Critical
- June 15, 2022
The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
Improper Certificate Validation
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default
CVE-2022-32152
7.2 - High
- June 15, 2022
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
Improper Certificate Validation
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default
CVE-2022-32153
8.1 - High
- June 15, 2022
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
Improper Certificate Validation
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request
CVE-2022-32154
8.1 - High
- June 15, 2022
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.
Command Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Splunk Cloud Platform or by Splunk? Click the Watch button to subscribe.