Splunk SG KVStore Low-Priv Edit Pre-9.4.1 (CVE-2025-20230)
CVE-2025-20230 Published on March 26, 2025
Missing Access Control and Incorrect Ownership of Data in App Key Value Store (KVStore) collections in the Splunk Secure Gateway App
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the admin or power Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections that the Splunk Secure Gateway app created. This is due to missing access control and incorrect ownership of the data in those KVStore collections.<br><br>In the affected versions, the `nobody` user owned the data in the KVStore collections. This meant that there was no specific owner assigned to the data in those collections.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-20230 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-20230
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Secure Gateway. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 9.4 and below 9.4.1 is affected.
- Version 9.3 and below 9.3.3 is affected.
- Version 9.2 and below 9.2.5 is affected.
- Version 9.1 and below 9.1.8 is affected.
- Version 3.8 and below 3.8.38 is affected.
- Version 3.7 and below 3.7.23 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.