<rss version="2.0"> <channel> <title>Splunk Security Announcements</title> <link>https://advisory.splunk.com/feed.xml</link> <description>Splunk Security Announcements</description> <language>en</language> <copyright>2023 Splunk</copyright> <item> <title> <![CDATA[SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Cisco Meraki version 2.2.0 and higher.</p> ]]> </description> <pubDate>Wed, 30 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1015</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in the Splunk Add-on for Google Cloud Platform versions 4.7.0 and higher</p> ]]> </description> <pubDate>Wed, 30 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1014</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher.</p> ]]> </description> <pubDate>Thu, 17 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1013</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1012: Third-Party Package Updates in Splunk Enterprise - October 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.3.1, 9.2.3, 9.1.6, and higher.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1012</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1011: Persistent Cross-Site Scripting (XSS) via props.conf on Splunk Enterprise]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create a malicious payload through a custom configuration file that the “api.uri” parameter from the “/manager/search/apps/local” endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1011</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1010: Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk Enterprise]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1010</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1009: Sensitive information disclosure in AdminManager logging channel]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes plaintext passwords for local native authentication Splunk users. This exposure could happen when you configure the Splunk Enterprise AdminManager log channel at the DEBUG logging level.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1009</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1008: Sensitive information disclosure in REST_Calls logging channel]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the <code class="language-plaintext highlighter-rouge">_internal</code> index. This exposure could happen if you configure the Splunk Enterprise <code class="language-plaintext highlighter-rouge">REST_Calls</code> log channel at the DEBUG logging level.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1008</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1007: Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF)]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the “admin” or “power” Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1007</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1006: Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a search query with an improperly formatted “INGEST_EVAL” parameter as part of a <a href="https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms">Field Transformation</a> which could crash the Splunk daemon (splunkd).</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1006</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1005: Improper Access Control for low-privileged user in Splunk Secure Gateway App]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the “admin” or “power” Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1005</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1004: Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic Dashboard]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions 9.3.0, 9.2.3, and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local image path in the img tag in the source extensible markup language (XML) code for the Splunk classic dashboard.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1004</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1003: Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows]]> </title> <description> <![CDATA[<p>In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could perform a Remote Code Execution (RCE) due to an insecure session storage configuration.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1003</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1002: Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the “admin” or “power” Splunk roles could run a search as the “nobody” Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1002</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-1001: Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate disk]]> </title> <description> <![CDATA[<p>In Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could write a file to the Windows system root directory, which has a default location in the Windows System32 folder, when Splunk Enterprise for Windows is installed on a separate drive.</p> ]]> </description> <pubDate>Mon, 14 Oct 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-1001</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0901: Third-Party Package Updates in Splunk Add-on for Amazon Web Services - September 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Amazon Web Services versions 7.7.0 and higher.</p> ]]> </description> <pubDate>Mon, 30 Sep 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0901</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0801: Third-Party Package Updates in Python for Scientific Computing - August 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1 and higher.</p> ]]> </description> <pubDate>Mon, 12 Aug 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0801</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0718: Third-Party Package Updates in Splunk Enterprise - July 2024]]> </title> <description> <![CDATA[<p>Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0718</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0717: Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0717</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0716: Information Disclosure of user names]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0716</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0715: Low-privileged user could create experimental items]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could create experimental items.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0715</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0714: Persistent Cross-site Scripting (XSS) in Dashboard Elements]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0714</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0713: Persistent Cross-site Scripting (XSS) in Web Bulletin]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0713</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0712: Persistent Cross-site Scripting (XSS) in Dashboard Elements]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0712</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0711: Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows]]> </title> <description> <![CDATA[<p>In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0711</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0710: Denial of Service (DoS) on the datamodel/web REST endpoint]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0710</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0709: Low-privileged user could create notifications in Splunk Web Bulletin Messages]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0709</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0708: OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems]]> </title> <description> <![CDATA[<p>In certain specific versions and platform architectures of Splunk Enterprise and the Universal Forwarder, the cryptographic library for OpenSSL (libcrypto.so) was likely incorrectly compiled with its stack execution bit set.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0708</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0707: Insecure File Upload in the indexing/preview REST endpoint]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0707</link> <category>Security Advisory</category> </item> <item> <title> <![CDATA[SVD-2024-0706: Risky command safeguards bypass through Search ID query in Analytics Workspace]]> </title> <description> <![CDATA[<p>In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace. The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.</p> ]]> </description> <pubDate>Mon, 01 Jul 2024 00:00:00 +0000</pubDate> <link>https://advisory.splunk.com//advisories/SVD-2024-0706</link> <category>Security Advisory</category> </item> </channel> </rss>