MidnightBSD

Advisories for splunk

CVE-2010-2429 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk 4.0 through 4.1.2, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer in a "404 Not Found" response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.0
splunk splunk 4.0.6
splunk splunk 4.0.11
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.0.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.0.7
splunk splunk 4.0.1
splunk splunk 4.1.2
splunk splunk 4.0.10
splunk splunk 4.0.2
CVE-2010-2502 HIGH

Multiple directory traversal vulnerabilities in Splunk 4.0 through 4.0.10 and 4.1 through 4.1.1 allow (1) remote attackers to read arbitrary files, aka SPL-31194; (2) remote authenticated users to modify arbitrary files, aka SPL-31063; or (3) have an unknown impact via redirects, aka SPL-31067.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.0
splunk splunk 4.0.6
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.0.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.0.7
splunk splunk 4.0.1
splunk splunk 4.0.10
splunk splunk 4.0.2
CVE-2010-2503 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Splunk 4.0 through 4.0.10 and 4.1 through 4.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) redirects, aka SPL-31067; (2) unspecified "user->user or user->admin" vectors, aka SPL-31084; or (3) unspecified "user input," aka SPL-31085.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.0
splunk splunk 4.0.6
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.0.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.0.7
splunk splunk 4.0.1
splunk splunk 4.0.10
splunk splunk 4.0.2
CVE-2010-2504 MEDIUM

Splunk 4.0 through 4.0.10 and 4.1 through 4.1.1 allows remote authenticated users to obtain sensitive information via HTTP header injection, aka SPL-31066.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.0
splunk splunk 4.0.6
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.0.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.0.7
splunk splunk 4.0.1
splunk splunk 4.0.10
splunk splunk 4.0.2
CVE-2010-3322 MEDIUM

The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2010-3323 MEDIUM

Splunk 4.0.0 through 4.1.4 allows remote attackers to conduct session hijacking attacks and obtain the splunkd session key via vectors related to the SPLUNKD_SESSION_KEY parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.0
splunk splunk 4.1.3
splunk splunk 4.0.6
splunk splunk 4.0.11
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.1.4
splunk splunk 4.0.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.0.7
splunk splunk 4.0.1
splunk splunk 4.1.2
splunk splunk 4.0.10
splunk splunk 4.0.2
CVE-2011-4642 MEDIUM

mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
splunk splunk 4.2.4
splunk splunk 4.2
splunk splunk 4.2.3
splunk splunk 4.2.2
splunk splunk 4.2.1
CVE-2011-4643 MEDIUM

Multiple directory traversal vulnerabilities in Splunk 4.x before 4.2.5 allow remote authenticated users to read arbitrary files via a .. (dot dot) in a URI to (1) Splunk Web or (2) the Splunkd HTTP Server, aka SPL-45243.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk splunk 4.0
splunk splunk 4.1.6
splunk splunk 4.2.4
splunk splunk 4.1.5
splunk splunk 4.1.3
splunk splunk 4.2
splunk splunk 4.0.6
splunk splunk 4.0.3
splunk splunk 4.0.7
splunk splunk 4.2.2
splunk splunk 4.0.2
splunk splunk 4.1.7
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 4.1.8
splunk splunk 4.0.11
splunk splunk 4.0.9
splunk splunk 4.0.5
splunk splunk 4.1.4
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 4.2.3
splunk splunk 4.0.1
splunk splunk 4.1.2
splunk splunk 4.0.10
splunk splunk 4.2.1
CVE-2011-4644 HIGH

Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that leverages the ability to create crafted data sources, or (2) execute management commands via an HTTP request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
splunk splunk 4.0
splunk splunk 4.2.4
splunk splunk 2.2.1
splunk splunk 3.1.3
splunk splunk 4.2
splunk splunk 2.1
splunk splunk 3.1
splunk splunk 3.0.1
splunk splunk 4.0.3
splunk splunk 4.0.7
splunk splunk 3.4.6
splunk splunk 4.2.2
splunk splunk 3.0.2
splunk splunk 3.3.1
splunk splunk 3.4.1
splunk splunk 3.4.2
splunk splunk 4.1.8
splunk splunk 3.4.5
splunk splunk 3.3.4
splunk splunk 3.4
splunk splunk 3.4.14
splunk splunk 3.0
splunk splunk 4.0.11
splunk splunk *
splunk splunk 4.0.5
splunk splunk 3.2.6
splunk splunk 3.2.3
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 3.2.1
splunk splunk 4.2.3
splunk splunk 4.1.2
splunk splunk 3.2.5
splunk splunk 3.4.10
splunk splunk 3.3.2
splunk splunk 4.1.6
splunk splunk 4.1.5
splunk splunk 2.2.3
splunk splunk 3.3.3
splunk splunk 4.1.3
splunk splunk 3.2.4
splunk splunk 4.0.6
splunk splunk 3.2
splunk splunk 3.4.13
splunk splunk 3.1.2
splunk splunk 3.4.9
splunk splunk 4.0.2
splunk splunk 4.1.7
splunk splunk 3.1.4
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 2.2.6
splunk splunk 3.4.12
splunk splunk 3.1.1
splunk splunk 3.4.8
splunk splunk 4.0.9
splunk splunk 3.2.2
splunk splunk 4.1.4
splunk splunk 3.3
splunk splunk 2.2
splunk splunk 4.0.1
splunk splunk 4.0.10
splunk splunk 3.4.11
splunk splunk 3.4.3
splunk splunk 4.2.1
CVE-2011-4778 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.2.x before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPL-44614.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 4.2.4
splunk splunk 4.2
splunk splunk 4.2.3
splunk splunk 4.2.2
splunk splunk 4.2.1
CVE-2012-6447 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 5.0.0 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 5.0.2
CVE-2013-2766 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.3.0 through 4.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 4.3.4
splunk splunk 4.3.1
splunk splunk 4.3
splunk splunk 4.3.3
splunk splunk 4.3.5
splunk splunk 4.3.2
CVE-2013-6771 HIGH

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the file parameter. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7394 is for the issue in the "runshellscript echo.sh" script.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 5.0.3
splunk splunk *
splunk splunk 5.0.2
CVE-2013-6772 MEDIUM

Splunk before 5.0.4 lacks X-Frame-Options which can allow Clickjacking

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1021,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2013-6773 MEDIUM

Splunk 5.0.3 has an Unquoted Service Path in Windows for Universal Forwarder which can allow an attacker to escalate privileges

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2013-6870 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 4.3.4
splunk splunk 4.0
splunk splunk 4.2.4
splunk splunk 2.2.1
splunk splunk 5.0.4
splunk splunk 3.1.3
splunk splunk 4.2
splunk splunk 2.1
splunk splunk 5.0.2
splunk splunk 3.1
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 3.0.1
splunk splunk 4.0.3
splunk splunk 4.0.7
splunk splunk 3.4.6
splunk splunk 4.2.2
splunk splunk 3.0.2
splunk splunk 3.3.1
splunk splunk 3.4.1
splunk splunk 3.4.2
splunk splunk 5.0.3
splunk splunk 4.1.8
splunk splunk 3.4.5
splunk splunk 4.3.3
splunk splunk 3.3.4
splunk splunk 3.4
splunk splunk 3.4.14
splunk splunk 3.0
splunk splunk 4.0.11
splunk splunk *
splunk splunk 4.0.5
splunk splunk 3.2.6
splunk splunk 3.2.3
splunk splunk 4.3.1
splunk splunk 4.1.1
splunk splunk 4.0.4
splunk splunk 3.2.1
splunk splunk 4.2.3
splunk splunk 4.1.2
splunk splunk 3.2.5
splunk splunk 4.3.2
splunk splunk 3.4.10
splunk splunk 3.3.2
splunk splunk 4.1.6
splunk splunk 4.1.5
splunk splunk 2.2.3
splunk splunk 3.3.3
splunk splunk 4.1.3
splunk splunk 4.3.5
splunk splunk 3.2.4
splunk splunk 4.0.6
splunk splunk 4.3.6
splunk splunk 4.2.5
splunk splunk 3.2
splunk splunk 3.4.13
splunk splunk 3.1.2
splunk splunk 3.4.9
splunk splunk 4.0.2
splunk splunk 4.1.7
splunk splunk 3.1.4
splunk splunk 4.0.8
splunk splunk 4.1
splunk splunk 2.2.6
splunk splunk 3.4.12
splunk splunk 3.1.1
splunk splunk 3.4.8
splunk splunk 4.0.9
splunk splunk 4.3.7
splunk splunk 3.2.2
splunk splunk 4.1.4
splunk splunk 3.3
splunk splunk 4.3
splunk splunk 4.2.
splunk splunk 2.2
splunk splunk 4.0.1
splunk splunk 4.0.10
splunk splunk 3.4.11
splunk splunk 3.4.3
splunk splunk 4.2.1
CVE-2013-7394 HIGH

The "runshellscript echo.sh" script in Splunk before 5.0.5 allows remote authenticated users to execute arbitrary commands via a crafted string. NOTE: this issue was SPLIT from CVE-2013-6771 per ADT2 due to different vulnerability types.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 5.0.3
splunk splunk *
splunk splunk 5.0.2
CVE-2014-0160 MEDIUM

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
siemens cp_1543-1_firmware 1.1
intellian v100_firmware 1.20
broadcom symantec_messaging_gateway 10.6.0
canonical ubuntu_linux 12.10
siemens elan-8.2 *
mitel mivoice 1.1.2.5
mitel mivoice 1.3.2.2
redhat enterprise_linux_desktop 6.0
mitel micollab 7.1
opensuse opensuse 12.3
mitel micollab 7.3.0.104
siemens wincc_open_architecture 3.12
intellian v100_firmware 1.21
debian debian_linux 6.0
fedoraproject fedora 20
redhat enterprise_linux_server_eus 6.5
intellian v100_firmware 1.24
opensuse opensuse 13.1
redhat enterprise_linux_server 6.0
mitel mivoice 1.1.3.3
mitel micollab 7.0
fedoraproject fedora 19
redhat enterprise_linux_server_tus 6.5
redhat gluster_storage 2.1
mitel micollab 6.0
intellian v60_firmware 1.25
mitel micollab 7.2
redhat enterprise_linux_workstation 6.0
debian debian_linux 7.0
canonical ubuntu_linux 12.04
siemens simatic_s7-1500t_firmware 1.5
mitel mivoice 1.2.0.11
siemens simatic_s7-1500_firmware 1.5
splunk splunk *
intellian v60_firmware 1.15
debian debian_linux 8.0
mitel micollab 7.3
mitel mivoice 1.4.0.102
redhat storage 2.1
openssl openssl *
filezilla-project filezilla_server *
canonical ubuntu_linux 13.10
redhat virtualization 6.0
broadcom symantec_messaging_gateway 10.6.1
ricon s9922l_firmware 16.10.3(3794)
siemens application_processing_engine_firmware 2.0
redhat enterprise_linux_server_aus 6.5
CVE-2014-2578 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk before 5.0.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 5.0.3
splunk splunk 5.0.4
splunk splunk 5.0.6
splunk splunk 5.0.5
splunk splunk *
splunk splunk 5.0.2
CVE-2014-3147 LOW

Cross-site scripting (XSS) vulnerability in the auto-complete feature in Splunk Enterprise before 6.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a CSV file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.0.0
splunk splunk 6.0.1
splunk splunk 6.0.2
splunk splunk *
CVE-2014-5197 MEDIUM

Directory traversal vulnerability in (1) Splunk Web or the (2) Splunkd HTTP Server in Splunk Enterprise 6.1.x before 6.1.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URI, related to search ids.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk splunk 6.1.1
splunk splunk 6.1.2
splunk splunk 6.1
CVE-2014-5198 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.3 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.1.1
splunk splunk 6.1.2
splunk splunk 6.1
CVE-2014-5466 MEDIUM

Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.7, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0.3
splunk splunk 5.0.4
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 6.1.4
splunk splunk 5.0.6
splunk splunk 6.0.3
splunk splunk 5.0.2
splunk splunk 6.1
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.0.2
splunk splunk 6.1.2
splunk splunk 5.0.8
splunk splunk 6.1.3
splunk splunk 5.0.5
splunk splunk 6.0
CVE-2014-8301 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 5.0.3
splunk splunk 5.0.4
splunk splunk 5.0.7
splunk splunk 5.0.9
splunk splunk 5.0.8
splunk splunk 5.0.6
splunk splunk 5.0.5
splunk splunk 5.0.2
CVE-2014-8302 LOW

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.6, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via vectors related to dashboard.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0.3
splunk splunk 5.0.4
splunk splunk 6.0.0
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 5.0.6
splunk splunk 6.0.3
splunk splunk 5.0.2
splunk splunk 6.1
splunk splunk 6.0.4
splunk splunk 5.0
splunk splunk 5.0.1
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.0.2
splunk splunk 6.1.2
splunk splunk 5.0.8
splunk splunk 6.1.3
splunk splunk 5.0.5
splunk splunk 6.0
CVE-2014-8303 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4 and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to event parsing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.0.5
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 6.0.2
splunk splunk 6.1.2
splunk splunk 6.0.3
splunk splunk 6.1.3
splunk splunk 6.0
splunk splunk 6.1
splunk splunk 6.0.4
CVE-2014-8380 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.1.1
CVE-2015-6514 MEDIUM

Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Enterprise 6.2.x before 6.2.4 and Splunk Light 6.2.x before 6.2.4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.2.1
splunk splunk 6.2.2
splunk splunk 6.2.0
splunk splunk 6.2.3
CVE-2015-6515 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.4, 6.1.x before 6.1.8, 6.0.x before 6.0.9, and 5.0.x before 5.0.13 and Splunk Light 6.2.x before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via a header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 5.0.4
splunk splunk 5.0.6
splunk splunk 6.2.0
splunk splunk 6.1.0
splunk splunk 5.0.2
splunk splunk 5.0.10
splunk splunk 6.1.7
splunk splunk 5.0.1
splunk splunk 6.1.5
splunk splunk 6.1.2
splunk splunk 6.1.3
splunk splunk 6.2.3
splunk splunk 5.0.5
splunk splunk 5.0.0
splunk splunk 6.1.6
splunk splunk 5.0.3
splunk splunk 6.0.0
splunk splunk 5.0.12
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 6.1.4
splunk splunk 5.0.11
splunk splunk 6.2.2
splunk splunk 6.0.7
splunk splunk 6.0.3
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.2.1
splunk splunk 6.0.2
splunk splunk 5.0.8
splunk splunk 6.0.8
CVE-2015-7604 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.6 and Splunk Light 6.2.x before 6.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.2.1
splunk splunk 6.2.2
splunk splunk 6.2.5
splunk splunk 6.2.0
splunk splunk 6.2.4
splunk splunk 6.2.3
CVE-2016-10126 HIGH

Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6.2.12, 6.3.x before 6.3.8, and 6.4.x before 6.4.4 allows remote attackers to conduct HTTP request injection attacks and obtain sensitive REST API authentication-token information via unspecified vectors, aka SPL-128840.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
splunk splunk 6.0.12
splunk splunk 6.3.1
splunk splunk 5.0.4
splunk splunk 6.0.10
splunk splunk 5.0.6
splunk splunk 6.2.0
splunk splunk 6.1.0
splunk splunk 6.4.0
splunk splunk 6.2.11
splunk splunk 5.0.16
splunk splunk 5.0.2
splunk splunk 5.0.10
splunk splunk 6.1.7
splunk splunk 6.1.8
splunk splunk 5.0.1
splunk splunk 6.1.5
splunk splunk 6.0.9
splunk splunk 5.0.15
splunk splunk 6.1.3
splunk splunk 6.1.9
splunk splunk 5.0.0
splunk splunk 6.1.6
splunk splunk 6.4.3
splunk splunk 6.0.11
splunk splunk 6.3.5
splunk splunk 5.0.3
splunk splunk 6.0.0
splunk splunk 6.1.4
splunk splunk 6.2.2
splunk splunk 6.0.3
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 6.2.7
splunk splunk 6.3.2
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.3.4
splunk splunk 6.2.4
splunk splunk 6.0.8
splunk splunk 6.2.10
splunk splunk 6.4.1
splunk splunk 6.4.2
splunk splunk 6.2.8
splunk splunk 6.1.2
splunk splunk 6.2.9
splunk splunk 6.2.3
splunk splunk 5.0.5
splunk splunk 6.3.3
splunk splunk 6.3.0
splunk splunk 6.3.7
splunk splunk 5.0.12
splunk splunk 6.1.11
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 5.0.11
splunk splunk 6.0.7
splunk splunk 6.2.1
splunk splunk 6.0.2
splunk splunk 6.2.5
splunk splunk 6.2.6
splunk splunk 5.0.8
splunk splunk 6.1.10
splunk splunk 6.3.6
splunk splunk 5.0.14
splunk splunk 5.0.13
CVE-2016-4856 LOW

Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.3.1
splunk splunk 6.3.2
splunk splunk 6.3.4
splunk splunk 6.3.3
splunk splunk 6.3.0
CVE-2016-4857 MEDIUM

Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
splunk splunk 6.3.5
splunk splunk 6.3.1
splunk splunk 6.2.10
splunk splunk 6.2.2
splunk splunk 6.2.0
splunk splunk 6.4.1
splunk splunk 6.4.0
splunk splunk *
splunk splunk 6.2.7
splunk splunk 6.3.2
splunk splunk 6.2.8
splunk splunk 6.2.1
splunk splunk 6.3.4
splunk splunk 6.2.5
splunk splunk 6.2.6
splunk splunk 6.2.9
splunk splunk 6.2.4
splunk splunk 6.2.3
splunk splunk 6.3.3
splunk splunk 6.3.0
CVE-2016-4858 LOW

Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.3.1
splunk splunk 5.0.4
splunk splunk 6.0.10
splunk splunk 5.0.6
splunk splunk 6.2.0
splunk splunk 6.1.0
splunk splunk 6.4.0
splunk splunk 5.0.2
splunk splunk 5.0.10
splunk splunk 6.1.7
splunk splunk 6.1.8
splunk splunk 5.0.1
splunk splunk 6.1.5
splunk splunk 6.0.9
splunk splunk 5.0.15
splunk splunk 6.1.3
splunk splunk 6.1.9
splunk splunk 5.0.0
splunk splunk 6.1.6
splunk splunk 6.0.11
splunk splunk 6.3.5
splunk splunk 5.0.3
splunk splunk 6.0.0
splunk splunk 6.1.4
splunk splunk 6.2.2
splunk splunk 6.0.3
splunk splunk *
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 6.2.7
splunk splunk 6.3.2
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.3.4
splunk splunk 6.2.4
splunk splunk 6.0.8
splunk splunk 6.2.10
splunk splunk 6.4.1
splunk splunk 6.2.8
splunk splunk 6.1.2
splunk splunk 6.2.9
splunk splunk 6.2.3
splunk splunk 5.0.5
splunk splunk 6.3.3
splunk splunk 6.3.0
splunk splunk 5.0.12
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 5.0.11
splunk splunk 6.0.7
splunk splunk 6.2.1
splunk splunk 6.0.2
splunk splunk 6.2.5
splunk splunk 6.2.6
splunk splunk 5.0.8
splunk splunk 6.1.10
splunk splunk 5.0.14
splunk splunk 5.0.13
CVE-2016-4859 MEDIUM

Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
splunk splunk 6.3.1
splunk splunk 5.0.4
splunk splunk 6.0.10
splunk splunk 5.0.6
splunk splunk 6.2.0
splunk splunk 6.1.0
splunk splunk 6.4.0
splunk splunk 5.0.2
splunk splunk 5.0.10
splunk splunk 6.1.7
splunk splunk 6.1.8
splunk splunk 5.0.1
splunk splunk 6.1.5
splunk splunk 6.0.9
splunk splunk 5.0.15
splunk splunk 6.1.3
splunk splunk 6.1.9
splunk splunk 5.0.0
splunk splunk 6.1.6
splunk splunk 6.0.11
splunk splunk 6.3.5
splunk splunk 5.0.3
splunk splunk 6.0.0
splunk splunk 6.1.4
splunk splunk 6.2.2
splunk splunk 6.0.3
splunk splunk *
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 6.2.7
splunk splunk 6.3.2
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.3.4
splunk splunk 6.2.4
splunk splunk 6.0.8
splunk splunk 6.4.1
splunk splunk 6.2.8
splunk splunk 6.1.2
splunk splunk 6.2.9
splunk splunk 6.2.3
splunk splunk 5.0.5
splunk splunk 6.3.3
splunk splunk 6.3.0
splunk splunk 5.0.12
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 5.0.11
splunk splunk 6.0.7
splunk splunk 6.2.1
splunk splunk 6.0.2
splunk splunk 6.2.5
splunk splunk 6.2.6
splunk splunk 5.0.8
splunk splunk 6.1.10
splunk splunk 5.0.14
splunk splunk 5.0.13
CVE-2017-12572 LOW

Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.6, and 6.3.x before 6.3.9 and Splunk Light before 6.5.2, with exploitation requiring administrative access, aka SPL-134104.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk 6.3.5
splunk splunk 6.3.1
splunk splunk 6.4.1
splunk splunk 6.4.0
splunk splunk 6.5.1
splunk splunk 6.4.5
splunk splunk 6.3.8
splunk splunk 6.3.2
splunk splunk 6.4.2
splunk splunk 6.5.0
splunk splunk 6.3.4
splunk splunk 6.4.4
splunk splunk 6.3.3
splunk splunk 6.3.6
splunk splunk 6.3.0
splunk splunk 6.3.7
splunk splunk 6.4.3
CVE-2017-17067 HIGH

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2017-18348 MEDIUM

Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2017-5607 LOW

Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2017-5880 MEDIUM

Splunk Web in Splunk Enterprise versions 6.5.x before 6.5.2, 6.4.x before 6.4.5, 6.3.x before 6.3.9, 6.2.x before 6.2.13, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17 and Splunk Light versions before 6.5.2 allows remote authenticated users to cause a denial of service (daemon crash) via a crafted GET request, aka SPL-130279.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
splunk splunk 6.0.12
splunk splunk 6.3.1
splunk splunk 5.0.4
splunk splunk 6.0.10
splunk splunk 5.0.6
splunk splunk 6.2.0
splunk splunk 6.1.0
splunk splunk 6.4.0
splunk splunk 6.2.11
splunk splunk 5.0.16
splunk splunk 5.0.2
splunk splunk 5.0.10
splunk splunk 6.1.7
splunk splunk 6.1.8
splunk splunk 5.0.1
splunk splunk 6.1.5
splunk splunk 6.0.9
splunk splunk 5.0.15
splunk splunk 6.1.3
splunk splunk 6.1.9
splunk splunk 5.0.0
splunk splunk 6.1.6
splunk splunk 6.4.3
splunk splunk 6.0.11
splunk splunk 6.3.5
splunk splunk 5.0.3
splunk splunk 6.0.0
splunk splunk 6.1.4
splunk splunk 6.2.2
splunk splunk 6.0.3
splunk splunk 6.5.1
splunk splunk *
splunk splunk 6.0.4
splunk splunk 6.0.6
splunk splunk 6.3.8
splunk splunk 6.2.7
splunk splunk 6.3.2
splunk splunk 6.0.5
splunk splunk 5.0.7
splunk splunk 6.3.4
splunk splunk 6.2.4
splunk splunk 6.0.8
splunk splunk 6.2.10
splunk splunk 6.4.1
splunk splunk 6.4.2
splunk splunk 6.2.8
splunk splunk 6.5.0
splunk splunk 6.1.2
splunk splunk 6.2.9
splunk splunk 6.2.3
splunk splunk 5.0.5
splunk splunk 6.3.3
splunk splunk 6.3.0
splunk splunk 6.3.7
splunk splunk 5.0.12
splunk splunk 6.1.11
splunk splunk 6.2.12
splunk splunk 6.1.1
splunk splunk 6.0.1
splunk splunk 5.0.9
splunk splunk 5.0.11
splunk splunk 6.0.7
splunk splunk 6.2.1
splunk splunk 6.0.2
splunk splunk 6.2.5
splunk splunk 6.2.6
splunk splunk 5.0.8
splunk splunk 6.1.10
splunk splunk 6.4.4
splunk splunk 6.3.6
splunk splunk 5.0.14
splunk splunk 5.0.13
CVE-2017-7565 MEDIUM

Splunk Hadoop Connect App has a path traversal vulnerability that allows remote authenticated users to execute arbitrary code, aka ERP-2041.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk hadoop_connect -
CVE-2018-11409 MEDIUM

Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2018-7427 MEDIUM

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2018-7429 MEDIUM

Splunkd in Splunk Enterprise 6.2.x before 6.2.14 6.3.x before 6.3.11, and 6.4.x before 6.4.8; and Splunk Light before 6.5.0 allow remote attackers to cause a denial of service via a malformed HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2018-7431 MEDIUM

Directory traversal vulnerability in the Splunk Django App in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote authenticated users to read arbitrary files via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2018-7432 MEDIUM

Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allow remote attackers to cause a denial of service via a crafted HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2019-20454 MEDIUM

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
splunk universal_forwarder *
fedoraproject fedora 31
splunk universal_forwarder 9.1.0
pcre pcre2 *
CVE-2019-20838 MEDIUM

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
pcre pcre *
apple macos *
CVE-2019-3800 LOW

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-200,

Products Affected

Vendor Product Version
contrastsecurity service_broker *
microsoft azure_service_broker *
anynines mysql *
bluemedora nozzle *
wavefront wavefront_by_vmware_nozzle *
pivotal metric_registrar_release *
synopsys seeker_iast_service_broker *
pivotal cloud_foundry_routing_release *
appdynamics application_analytics *
pivotal cloud_foundry_event_alerts *
pivotal cloud_foundry_command_line_interface_release *
splunk nozzle *
anynines logme *
pivotal application_service *
samba volume_service *
anynines rabbitmq *
pivotal single_sign-on *
datastax enterprise_service_broker *
apigee edge_service_broker *
signalsciences service_broker *
pivotal cloud_foundry_command_line_interface *
pivotal cloud_foundry_log_cache_release *
newrelic nozzle *
snyk service_broker *
tibco businessworks_buildpack *
pivotal cloud_foundry_deployment *
newrelic service_broker *
anynines redis *
ibm websphere_liberty_ *
appdynamics platform_montioring *
pivotal cloud_foundry_autoscaling_release *
pivotal credhub_service_broker_for_pcf *
forgerock service_broker *
google google_cloud_platform_service_broker *
anynines postgresql *
pagerduty service_broker *
datadoghq application_monitoring *
newrelic dotnet_extension_buildpack *
pivotal pivotal_cloud_foundry_service_broker *
riverbed steelcentral_appinternals *
anynines elasticsearch *
pivotal cloud_foundry_smoke_test *
sumologic nozzle *
pivotal cloud_foundry_networking_release *
pivotal cloud_foundry_notifications *
anynines mongodb *
cyberark conjur_service_broker *
solace pubsub+ *
appdynamics application_performance_monitoring *
pivotal cloud_foundry_deployment_concourse_tasks *
pivotal on_demand_service_broker *
microsoft azure_log_analytics_nozzle *
yugabyte db_enterprise *
pivotal cloud_foundry_healthwatch *
dynatrace service_broker *
CVE-2019-5727 LOW

Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2019-5729 MEDIUM

Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
splunk software_development_kit *
CVE-2020-14155 MEDIUM

libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp h410c_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp cloud_backup -
apple macos *
gitlab gitlab *
netapp h410s_firmware -
netapp h700s_firmware -
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
pcre pcre *
oracle communications_cloud_native_core_policy 1.15.0
CVE-2020-8169 MEDIUM

curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
haxx curl *
splunk universal_forwarder *
debian debian_linux 10.0
splunk universal_forwarder 9.1.0
siemens sinec_infrastructure_network_services *
siemens simatic_tim_1531_irc_firmware *
CVE-2020-8177 MEDIUM

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-99,CWE-74,

Products Affected

Vendor Product Version
haxx curl *
splunk universal_forwarder *
debian debian_linux 10.0
fujitsu m10-4s_firmware *
fujitsu m10-1_firmware *
splunk universal_forwarder 9.1.0
siemens sinec_infrastructure_network_services *
fujitsu m12-2_firmware *
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
fujitsu m10-4_firmware *
CVE-2020-8231 MEDIUM

Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
splunk universal_forwarder *
debian debian_linux 10.0
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_policy 1.14.0
siemens sinec_infrastructure_network_services *
haxx libcurl *
CVE-2020-8284 MEDIUM

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci_storage_node -
apple macos 11.2
debian debian_linux 10.0
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
debian debian_linux 9.0
fujitsu m12-1_firmware *
oracle peoplesoft_enterprise_peopletools 8.58
haxx curl *
fujitsu m10-4s_firmware *
fedoraproject fedora 33
apple mac_os_x 10.14.6
netapp solidfire -
netapp hci_bootstrap_os -
fujitsu m12-2_firmware *
fujitsu m12-2s_firmware *
fujitsu m10-4_firmware *
apple mac_os_x *
oracle essbase 21.2
splunk universal_forwarder *
netapp clustered_data_ontap -
apple mac_os_x 10.15.7
fujitsu m10-1_firmware *
apple macos 11.0.1
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_policy 1.14.0
apple macos 11.1
fedoraproject fedora 32
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2020-8285 MEDIUM

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
debian debian_linux 9.0
fujitsu m12-1_firmware *
oracle peoplesoft_enterprise_peopletools 8.58
fujitsu m10-4s_firmware *
fedoraproject fedora 33
apple mac_os_x 10.14.6
netapp solidfire -
netapp hci_bootstrap_os -
fujitsu m12-2_firmware *
haxx libcurl *
apple macos *
fujitsu m12-2s_firmware *
fujitsu m10-4_firmware *
apple mac_os_x *
oracle essbase 21.2
splunk universal_forwarder *
netapp clustered_data_ontap -
apple mac_os_x 10.15.7
fujitsu m10-1_firmware *
netapp hci_storage_node_firmware -
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_policy 1.14.0
fedoraproject fedora 32
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2020-8286 MEDIUM

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire -
netapp hci_bootstrap_os -
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
haxx libcurl *
debian debian_linux 9.0
apple macos *
siemens simatic_tim_1531_irc_firmware *
oracle peoplesoft_enterprise_peopletools 8.58
apple mac_os_x *
oracle essbase 21.2
splunk universal_forwarder *
netapp clustered_data_ontap -
apple mac_os_x 10.15.7
netapp hci_storage_node_firmware -
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_policy 1.14.0
fedoraproject fedora 33
fedoraproject fedora 32
apple mac_os_x 10.14.6
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2021-22876 MEDIUM

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-359,CWE-200,

Products Affected

Vendor Product Version
netapp hci_storage_node -
netapp solidfire -
fedoraproject fedora 34
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
netapp hci_compute_node -
haxx libcurl *
debian debian_linux 9.0
oracle essbase 21.2
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
broadcom fabric_operating_system -
fedoraproject fedora 33
fedoraproject fedora 32
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2021-22890 MEDIUM

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-300,CWE-290,

Products Affected

Vendor Product Version
netapp hci_storage_node -
netapp solidfire -
fedoraproject fedora 34
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
haxx libcurl *
debian debian_linux 9.0
oracle essbase 21.2
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
broadcom fabric_operating_system -
fedoraproject fedora 33
fedoraproject fedora 32
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2021-22897 MEDIUM

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-668,

Products Affected

Vendor Product Version
netapp h300e_firmware -
netapp h500s_firmware -
siemens sinec_infrastructure_network_services *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
netapp cloud_backup -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
netapp solidfire_baseboard_management_controller_firmware -
netapp h300s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle mysql_server *
oracle essbase *
oracle communications_cloud_native_core_binding_support_function 1.11.0
netapp solidfire_&_hci_management_node -
netapp h700e_firmware -
netapp h410s_firmware -
netapp h700s_firmware -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp hci_compute_node_firmware -
netapp h500e_firmware -
oracle communications_cloud_native_core_network_repository_function 1.15.1
CVE-2021-22898 LOW

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-909,

Products Affected

Vendor Product Version
oracle mysql_server *
oracle essbase *
fedoraproject fedora 34
oracle communications_cloud_native_core_binding_support_function 1.11.0
siemens sinec_infrastructure_network_services *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
debian debian_linux 9.0
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
splunk universal_forwarder *
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
fedoraproject fedora 33
oracle communications_cloud_native_core_network_repository_function 1.15.1
CVE-2021-22901 MEDIUM

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300e_firmware -
netapp h500s_firmware -
siemens sinec_infrastructure_network_services *
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
netapp cloud_backup -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
netapp solidfire_baseboard_management_controller_firmware -
netapp h300s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
netapp snapcenter -
oracle mysql_server *
oracle essbase *
oracle communications_cloud_native_core_binding_support_function 1.11.0
netapp solidfire_&_hci_management_node -
netapp h700e_firmware -
netapp h410s_firmware -
netapp oncommand_insight -
netapp h700s_firmware -
splunk universal_forwarder *
netapp oncommand_workflow_automation -
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp hci_compute_node_firmware -
netapp h500e_firmware -
oracle communications_cloud_native_core_network_repository_function 1.15.1
CVE-2021-22922 MEDIUM

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-755,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp h300e_firmware -
netapp h500s_firmware -
netapp solidfire -
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
netapp cloud_backup -
netapp h700e_firmware -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-22923 LOW

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

CVSS 2.0

Severity: LOW

Problem Type: CWE-319,CWE-319,CWE-522,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp h300e_firmware -
netapp h500s_firmware -
netapp solidfire -
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
netapp cloud_backup -
netapp h700e_firmware -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-22924 MEDIUM

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-706,

Products Affected

Vendor Product Version
siemens simatic_rtu3030c_firmware *
siemens scalance_s615_firmware *
oracle peoplesoft_enterprise_peopletools 8.59
debian debian_linux 10.0
siemens siplus_net_cp_1543-1_firmware *
siemens scalance_m812-1_firmware *
siemens sinec_infrastructure_network_services *
siemens sinema_remote_connect_server *
debian debian_linux 9.0
netapp cloud_backup -
oracle peoplesoft_enterprise_peopletools 8.58
siemens scalance_m826-2_firmware *
oracle peoplesoft_enterprise_peopletools 8.57
netapp solidfire_baseboard_management_controller_firmware -
siemens logo!_cmr2040_firmware *
debian debian_linux 11.0
fedoraproject fedora 33
siemens scalance_m874-3_firmware *
siemens simatic_rtu_3041c_firmware *
siemens scalance_m816-1_firmware *
siemens simatic_rtu3031c_firmware *
oracle mysql_server *
siemens scalance_m874-2_firmware *
siemens scalance_m804pb_firmware *
siemens simatic_cp_1543-1_firmware *
netapp solidfire_&_hci_management_node -
haxx libcurl *
siemens scalance_mum856-1_firmware *
siemens logo!_cmr2020_firmware *
splunk universal_forwarder *
netapp clustered_data_ontap -
splunk universal_forwarder 9.1.0
siemens ruggedcomrm_1224_lte_firmware *
siemens sinema_remote_connect *
siemens simatic_rtu3010c_firmware *
siemens simatic_cp_1545-1_firmware *
siemens scalance_m876-3_firmware *
siemens scalance_m876-4_firmware *
CVE-2021-22925 MEDIUM

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-908,

Products Affected

Vendor Product Version
apple macos 11.2
netapp h300e_firmware -
oracle peoplesoft_enterprise_peopletools 8.59
netapp h500s_firmware -
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
apple macos 11.3
siemens sinema_remote_connect_server *
netapp cloud_backup -
oracle peoplesoft_enterprise_peopletools 8.58
apple macos 11.2.1
haxx curl *
oracle peoplesoft_enterprise_peopletools 8.57
netapp h300s_firmware -
apple macos 11.4
fedoraproject fedora 33
oracle mysql_server *
netapp solidfire -
apple macos 11.5
netapp h700e_firmware -
netapp h410s_firmware -
netapp h700s_firmware -
apple macos 11.0
apple macos 11.3.1
splunk universal_forwarder *
netapp clustered_data_ontap -
apple mac_os_x 10.15.7
apple macos 11.0.1
splunk universal_forwarder 9.1.0
netapp h500e_firmware -
apple macos 11.1
apple macos 11.1.0
CVE-2021-22926 MEDIUM

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-295,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp h300e_firmware -
oracle peoplesoft_enterprise_peopletools 8.59
netapp h500s_firmware -
netapp solidfire -
siemens sinec_infrastructure_network_services *
netapp hci_management_node -
netapp active_iq_unified_manager -
netapp h700e_firmware -
netapp h410s_firmware -
oracle peoplesoft_enterprise_peopletools 8.58
haxx curl *
netapp oncommand_insight -
netapp h700s_firmware -
oracle peoplesoft_enterprise_peopletools 8.57
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp oncommand_workflow_automation -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
netapp h500e_firmware -
netapp snapcenter -
CVE-2021-22945 MEDIUM

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,CWE-415,CWE-415,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp h300e_firmware -
netapp h500s_firmware -
siemens sinec_ins *
haxx libcurl *
netapp cloud_backup -
apple macos *
netapp h700e_firmware -
netapp h410s_firmware -
netapp h700s_firmware -
netapp solidfire_baseboard_management_controller_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 33
netapp h500e_firmware -
fedoraproject fedora 35
CVE-2021-22946 MEDIUM

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-325,CWE-319,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_network_repository_function 22.1.0
netapp h300e_firmware -
oracle peoplesoft_enterprise_peopletools 8.59
debian debian_linux 10.0
netapp h500s_firmware -
siemens sinec_infrastructure_network_services *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
debian debian_linux 9.0
netapp cloud_backup -
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle peoplesoft_enterprise_peopletools 8.57
netapp solidfire_baseboard_management_controller_firmware -
debian debian_linux 11.0
netapp h300s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
fedoraproject fedora 33
fedoraproject fedora 35
netapp snapcenter -
oracle mysql_server *
oracle communications_cloud_native_core_binding_support_function 1.11.0
apple macos *
netapp h700e_firmware -
oracle communications_cloud_native_core_console 22.2.0
netapp h410s_firmware -
netapp oncommand_insight -
netapp h700s_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp oncommand_workflow_automation -
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp h500e_firmware -
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle commerce_guided_search 11.3.2
CVE-2021-22947 MEDIUM

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,CWE-345,

Products Affected

Vendor Product Version
netapp h300e_firmware -
oracle peoplesoft_enterprise_peopletools 8.59
debian debian_linux 10.0
netapp h500s_firmware -
siemens sinec_infrastructure_network_services *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
debian debian_linux 9.0
netapp cloud_backup -
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle peoplesoft_enterprise_peopletools 8.57
netapp solidfire_baseboard_management_controller_firmware -
oracle communications_cloud_native_core_network_repository_function 22.1.2
debian debian_linux 11.0
netapp h300s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
fedoraproject fedora 33
fedoraproject fedora 35
oracle mysql_server *
oracle communications_cloud_native_core_binding_support_function 1.11.0
apple macos *
netapp h700e_firmware -
oracle communications_cloud_native_core_console 22.2.0
netapp h410s_firmware -
netapp h700s_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
splunk universal_forwarder *
netapp clustered_data_ontap -
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp h500e_firmware -
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle commerce_guided_search 11.3.2
CVE-2021-26253 MEDIUM

A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the MFA verification in Splunk Enterprise versions before 8.1.6. The potential vulnerability impacts Splunk Enterprise instances configured to use DUO MFA and does not impact or affect a DUO product or service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2021-30560 MEDIUM

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
splunk universal_forwarder *
debian debian_linux 10.0
debian debian_linux 11.0
xmlsoft libxslt *
splunk universal_forwarder 9.1.0
google chrome *
CVE-2021-31559 MEDIUM

A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1. The vulnerability impacts Indexers configured to use TCPTokens. It does not impact Universal Forwarders.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-288,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
splunk splunk 8.2.0
splunk splunk *
CVE-2021-31566

An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.

Products Affected

Vendor Product Version
debian debian_linux 10.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux 8.0
redhat codeready_linux_builder -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
redhat enterprise_linux_server_aus 8.6
fedoraproject fedora 35
redhat enterprise_linux_for_ibm_z_systems_eus 8.6
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_for_ibm_z_systems 8.0
libarchive libarchive *
redhat enterprise_linux_for_power_little_endian_eus 8.6
CVE-2021-33845 MEDIUM

The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,CWE-203,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2021-3422 MEDIUM

The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-20,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2021-3520 HIGH

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,CWE-787,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
lz4_project lz4 1.8.3
oracle zfs_storage_appliance_kit 8.8
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
oracle communications_cloud_native_core_policy 1.14.0
lz4_project lz4 *
netapp active_iq_unified_manager -
netapp cloud_backup -
CVE-2021-36976 MEDIUM

libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
splunk universal_forwarder *
apple iphone_os *
splunk universal_forwarder 9.1.0
apple ipados *
fedoraproject fedora 35
apple watchos *
apple macos *
libarchive libarchive *
CVE-2021-42743 MEDIUM

A misconfiguration in the node default path allows for local privilege escalation from a lower privileged user to the Splunk user in Splunk Enterprise versions before 8.1.1 on Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-427,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-22576 MEDIUM

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-306,

Products Affected

Vendor Product Version
netapp bootstrap_os -
debian debian_linux 10.0
netapp h500s_firmware -
netapp solidfire_&_hci_management_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
netapp solidfire_&_hci_storage_node -
CVE-2022-26070 MEDIUM

When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-209,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-26889 MEDIUM

In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal. It allows an attacker to potentially inject arbitrary content into the web page (e.g., HTML Injection, XSS) or bypass SPL safeguards for risky commands. The attack is browser-based. An attacker cannot exploit the attack at will and requires the attacker to initiate a request within the victim's browser (e.g., phishing).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-22,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-27183 MEDIUM

The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-27774 LOW

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp h500s_firmware -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
netapp solidfire_&_hci_storage_node -
CVE-2022-27775 MEDIUM

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h500s_firmware -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
netapp solidfire_&_hci_storage_node -
CVE-2022-27776 MEDIUM

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
fedoraproject fedora 37
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
netapp solidfire_&_hci_storage_node -
CVE-2022-27778 MEDIUM

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-706,CWE-706,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
netapp h410s_firmware -
netapp oncommand_insight -
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp oncommand_workflow_automation -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
netapp hci_compute_node_firmware -
netapp bh500s_firmware -
netapp snapcenter -
haxx curl 7.83.0
CVE-2022-27779 MEDIUM

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-201,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp h500s_firmware -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp hci_compute_node -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
CVE-2022-27780 MEDIUM

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-177,CWE-918,

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h410s_firmware -
CVE-2022-27781 MEDIUM

libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp h500s_firmware -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp hci_compute_node -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
CVE-2022-27782 MEDIUM

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-295,

Products Affected

Vendor Product Version
haxx curl *
splunk universal_forwarder *
debian debian_linux 10.0
debian debian_linux 11.0
splunk universal_forwarder 9.1.0
CVE-2022-30115 MEDIUM

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-325,CWE-319,

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h410s_firmware -
CVE-2022-32151 MEDIUM

The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
prodsec@splunk.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-32152 MEDIUM

Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-32153 MEDIUM

Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-297,CWE-295,

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-32154 MEDIUM

Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
prodsec@splunk.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-77,

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-32155 MEDIUM

In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. See Configure universal forwarder management security (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) for more information on disabling the remote management services.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-32156 MEDIUM

In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI to enable the remediation. The vulnerability does not affect the Splunk Cloud Platform. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. The issue requires conditions beyond the control of a potential bad actor such as a machine-in-the-middle attack. Hence, Splunk rates the complexity of the attack as High.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
splunk universal_forwarder *
splunk splunk *
CVE-2022-32157 MEDIUM

Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-32158 HIGH

Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
prodsec@splunk.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
splunk splunk *
CVE-2022-32205 MEDIUM

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
siemens scalance_sc622-2c_firmware *
netapp h500s_firmware -
netapp solidfire -
netapp hci_management_node -
netapp element_software -
apple macos *
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
siemens scalance_sc646-2c_firmware *
siemens scalance_sc632-2c_firmware *
siemens scalance_sc642-2c_firmware *
siemens scalance_sc636-2c_firmware *
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
siemens scalance_sc626-2c_firmware *
splunk universal_forwarder 9.1.0
fedoraproject fedora 35
CVE-2022-32206 MEDIUM

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
netapp bootstrap_os -
siemens scalance_sc622-2c_firmware *
debian debian_linux 10.0
netapp h500s_firmware -
netapp solidfire -
netapp hci_management_node -
netapp element_software -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
siemens scalance_sc646-2c_firmware *
siemens scalance_sc632-2c_firmware *
siemens scalance_sc642-2c_firmware *
siemens scalance_sc636-2c_firmware *
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
siemens scalance_sc626-2c_firmware *
splunk universal_forwarder 9.1.0
fedoraproject fedora 35
CVE-2022-32207 HIGH

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-840,CWE-276,

Products Affected

Vendor Product Version
netapp bootstrap_os -
netapp h500s_firmware -
netapp solidfire -
netapp hci_management_node -
netapp element_software -
apple macos *
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 35
CVE-2022-32208 MEDIUM

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-787,

Products Affected

Vendor Product Version
netapp bootstrap_os -
debian debian_linux 10.0
netapp h500s_firmware -
netapp solidfire -
netapp hci_management_node -
netapp element_software -
apple macos *
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 35
CVE-2022-32221

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
debian debian_linux 10.0
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
apple macos *
netapp h410s_firmware -
CVE-2022-35252

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
debian debian_linux 10.0
netapp h500s_firmware -
netapp solidfire -
netapp hci_management_node -
netapp element_software -
apple macos *
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
CVE-2022-35260

curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp clustered_data_ontap -
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
apple macos *
netapp h410s_firmware -
CVE-2022-35737

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
sqlite sqlite *
CVE-2022-36227

In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."

Products Affected

Vendor Product Version
splunk universal_forwarder *
debian debian_linux 10.0
splunk universal_forwarder 9.1.0
fedoraproject fedora 37
libarchive libarchive *
CVE-2022-37437

When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. The vulnerability only affects connections between Splunk Enterprise and an Ingest Actions Destination through Splunk Web and only applies to environments that have configured TLS certificate validation. It does not apply to Destinations configured directly in the outputs.conf configuration file. The vulnerability affects Splunk Enterprise version 9.0.0 and does not affect versions below 9.0.0, including the 8.1.x and 8.2.x versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
prodsec@splunk.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
splunk splunk 9.0.0
CVE-2022-37438

In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4
prodsec@splunk.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk 9.0.0
splunk splunk *
CVE-2022-37439

In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6
prodsec@splunk.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
splunk universal_forwarder *
splunk splunk *
CVE-2022-42915

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp h500s_firmware -
fedoraproject fedora 37
apple macos *
netapp ontap_9 -
netapp h410s_firmware -
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
fedoraproject fedora 35
CVE-2022-42916

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
haxx curl *
splunk universal_forwarder *
fedoraproject fedora 36
splunk universal_forwarder 9.1.0
fedoraproject fedora 37
fedoraproject fedora 35
apple macos *
CVE-2022-43551

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Products Affected

Vendor Product Version
haxx curl *
netapp oncommand_insight -
splunk universal_forwarder *
netapp oncommand_workflow_automation -
splunk universal_forwarder 9.1.0
fedoraproject fedora 37
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-43552

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
apple macos *
CVE-2022-43561

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
prodsec@splunk.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43562

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 3.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N 1.3 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43563

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43564

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43565

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43566

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards  in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43567

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43568

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43569

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name of a Data Model.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
prodsec@splunk.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43570

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43571

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2022-43572

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22931

In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22932

In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N 2.3 5.8
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22933

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
prodsec@splunk.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22934

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9
prodsec@splunk.com 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22935

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22936

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4
prodsec@splunk.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22937

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22938

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22939

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22940

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6
prodsec@splunk.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22941

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-22942

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG KV store collections using an HTTP GET request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L 2.8 2.5

Products Affected

Vendor Product Version
splunk splunk *
CVE-2023-22943

In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
splunk add-on_builder *
splunk cloudconnect_software_development_kit *
CVE-2023-23914

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp clustered_data_ontap 9.0
netapp active_iq_unified_manager -
netapp h410s_firmware -
CVE-2023-23915

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp clustered_data_ontap 9.0
netapp active_iq_unified_manager -
netapp h410s_firmware -
CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
fedoraproject fedora 36
debian debian_linux 10.0
netapp clustered_data_ontap -
debian debian_linux 11.0
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp h410s_firmware -
CVE-2023-27533

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
splunk universal_forwarder *
fedoraproject fedora 36
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp clustered_data_ontap 9.0
netapp active_iq_unified_manager -
netapp h410s_firmware -
CVE-2023-27534

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
haxx curl *
netapp h700s_firmware -
broadcom brocade_fabric_operating_system_firmware -
splunk universal_forwarder *
fedoraproject fedora 36
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp active_iq_unified_manager -
netapp h410s_firmware -
CVE-2023-27535

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp h700s_firmware -
splunk universal_forwarder *
fedoraproject fedora 36
debian debian_linux 10.0
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp active_iq_unified_manager -
haxx libcurl *
netapp ontap_9 -
netapp h410s_firmware -
CVE-2023-27536

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h700s_firmware -
splunk universal_forwarder *
fedoraproject fedora 36
debian debian_linux 10.0
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp active_iq_unified_manager -
haxx libcurl *
netapp h410s_firmware -
netapp ontap 9
CVE-2023-27537

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
netapp h700s_firmware -
broadcom brocade_fabric_operating_system_firmware -
splunk universal_forwarder *
netapp h300s_firmware -
netapp h500s_firmware -
splunk universal_forwarder 9.1.0
netapp clustered_data_ontap 9.0
haxx libcurl 7.88.1
netapp active_iq_unified_manager -
haxx libcurl 7.88.0
netapp h410s_firmware -
CVE-2023-27538

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
broadcom brocade_fabric_operating_system_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx libcurl *
netapp h410s_firmware -
netapp h700s_firmware -
splunk universal_forwarder *
netapp h300s_firmware -
splunk universal_forwarder 9.1.0
netapp clustered_data_ontap 9.0
CVE-2023-32706

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 3.1 4.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32707

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32708

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32709

In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32710

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32711

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk *
CVE-2023-32712

In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 3.4 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
splunk splunk *
CVE-2023-32713

In Splunk App for Stream versions below 8.1.1, a low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

Products Affected

Vendor Product Version
splunk splunk_app_for_stream *
CVE-2023-32714

In the Splunk App for Lookup File Editing versions below 4.0.1, a low-privileged user can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
splunk splunk *
splunk splunk_app_for_lookup_file_editing *
CVE-2023-32715

In the Splunk App for Lookup File Editing versions below 4.0.1, a user can insert potentially malicious JavaScript code into the app, which causes that code to run on the user’s machine. The app itself does not contain the potentially malicious JavaScript code. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser, and requires additional user interaction to trigger. The attacker cannot exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7

Products Affected

Vendor Product Version
splunk splunk_app_for_lookup_file_editing *
CVE-2023-32716

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, an attacker can exploit a vulnerability in the {{dump}} SPL command to cause a denial of service by crashing the Splunk daemon.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-32717

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-3997

Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
splunk soar *
CVE-2023-40592

In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
prodsec@splunk.com 8.4 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 1.7 6.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk 9.1.0
splunk splunk *
CVE-2023-40593

In Splunk Enterprise versions lower than 9.0.6 and 8.2.12, a malicious actor can send a malformed security assertion markup language (SAML) request to the `/saml/acs` REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
prodsec@splunk.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.8 4.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-40594

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the `printf` SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk 9.1.0
splunk splunk *
CVE-2023-40595

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk 9.1.0
splunk splunk *
CVE-2023-40596

In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
prodsec@splunk.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
splunk splunk 9.1.0
splunk splunk *
CVE-2023-40597

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk 9.1.0
splunk splunk *
CVE-2023-40598

In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2023-4571

In Splunk IT Service Intelligence (ITSI) versions below below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
splunk it_service_intelligence 4.17.0
splunk it_service_intelligence *
CVE-2023-46213

In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2023-46214

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
prodsec@splunk.com 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 1.3 6.0

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2023-46230

In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
prodsec@splunk.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L 2.3 5.3

Products Affected

Vendor Product Version
splunk add-on_builder *
CVE-2023-46231

In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.9 5.9
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
splunk add-on_builder *
CVE-2024-22164

In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
splunk enterprise_security *
CVE-2024-22165

In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk enterprise_security *
CVE-2024-23675

In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-23676

In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-23677

In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses from external applications in a log file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-23678

In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
splunk splunk *
CVE-2024-29945

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
splunk splunk *
CVE-2024-29946

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
splunk splunk *
CVE-2024-36982

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an attacker could trigger a null pointer reference on the cluster/config REST endpoint, which could result in a crash of the Splunk daemon.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-36986

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace. The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-36987

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-36989

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
splunk cloud *
splunk splunk *
CVE-2024-36990

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-36991

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
splunk splunk *
CVE-2024-36992

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-36993

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-36994

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-36995

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could create experimental items.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-36996

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-53244

In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.2.2406.107, 9.2.2403.109, and 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on “/en-US/app/search/report“ endpoint through “s“ parameter.<br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6
prodsec@splunk.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2024-53245

In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles, that has a username with the same name as a role with read access to dashboards, could see the dashboard name and the dashboard XML by cloning the dashboard.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
prodsec@splunk.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20226

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its "q" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
splunk splunk 9.4.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20227

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.112, 9.2.2403.115, 9.1.2312.208 and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards which could lead to an information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk 9.4.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20228

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20229

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk 9.4.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20230

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections that the Splunk Secure Gateway app created. This is due to missing access control and incorrect ownership of the data in those KVStore collections.<br><br>In the affected versions, the `nobody` user owned the data in the KVStore collections. This meant that there was no specific owner assigned to the data in those collections.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_secure_gateway *
splunk splunk *
CVE-2025-20231

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
splunk splunk 9.4.0
splunk splunk_secure_gateway *
splunk splunk *
CVE-2025-20232

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208 and 9.1.2308.212, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the “/app/search/search“ endpoint through its “s“ parameter. <br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20233

In the Splunk App for Lookup File Editing versions below 4.0.5, a script in the app used the `chmod` and `makedirs` Python functions in a way that resulted in overly broad read and execute permissions. This could lead to improper access control for a low-privileged user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.0 1.4

Products Affected

Vendor Product Version
splunk splunk_app_for_lookup_file_editing *
CVE-2025-20297

In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20298

In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk universal_forwarder *
CVE-2025-20300

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20319

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
splunk splunk *
CVE-2025-20320

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H 2.1 4.2

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20321

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20322

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20323

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk *
CVE-2025-20324

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20325

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. <br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20366

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20367

In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
psirt@cisco.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20368

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
psirt@cisco.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20369

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 2.1 2.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20370

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20371

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20378

In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20379

In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20382

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20383

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_secure_gateway *
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20384

In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20385

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N 0.9 1.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20386

In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk *
CVE-2025-20387

In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
splunk splunk *
CVE-2025-20388

In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
splunk splunk 10.0.0
splunk splunk_cloud_platform *
splunk splunk *
CVE-2025-20389

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
splunk splunk_secure_gateway *
splunk splunk_cloud_platform *
splunk splunk *
CVE-2026-20163

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2026-20164

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
CVE-2026-20165

In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
splunk splunk 10.2.0
CVE-2026-20166

In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@cisco.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
splunk splunk_cloud_platform *
splunk splunk *
splunk splunk 10.2.0