Splunk Enterprise SAML user enumeration (before 9.2.2)
CVE-2024-36996 Published on July 1, 2024
Information Disclosure of user names
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.
Weakness Type
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).
Products Associated with CVE-2024-36996
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 9.2 and below 9.2.2 is affected.
- Version 9.1 and below 9.1.5 is affected.
- Version 9.0 and below 9.0.10 is affected.
- Version 9.1.2312 and below 9.1.2312.109 is affected.
- Version 9.2 and below 9.2.2 is affected.
- Version 9.1 and below 9.1.5 is affected.
- Version 9.0 and below 9.0.10 is affected.
- Version 9.1.2312 and below 9.1.2312.109 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.