Splunk Vulnerabilities CVE-2024-36997, CVE-2024-36996, CVE-2024-36995, CVE-2024-36994, CVE-2024-36993, CVE-2024-36992, CVE-2024-36991, CVE-2024-36990, CVE-2024-36989, CVE-2024-36987, CVE-2024-36986, CVE-2024-36985, CVE-2024-36984, CVE-2024-36983, CVE-2024-36982
July 01, 2024
Splunk, a leading provider of enterprise software for data analysis and security, has recently disclosed a series of critical vulnerabilities that could expose organizations to significant risks. These vulnerabilities, affecting Splunk Enterprise and Splunk Cloud Platform, range from persistent cross-site scripting (XSS) exploits to denial of service and remote code execution flaws.
CVE-2024-36997
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312, an admin user could store
and execute arbitrary JavaScript code in the browser context of another Splunk
user through the conf-web/settings REST endpoint. This could potentially cause
a persistent cross-site scripting (XSS) exploit.
CVE-2024-36996
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could
determine whether or not another user exists on the instance by deciphering the
error response that they would likely receive from the instance when they
attempt to log in. This disclosure could then lead to additional brute-force
password-guessing attacks. This vulnerability would require that the Splunk
platform instance uses the Security Assertion Markup Language (SAML)
authentication scheme.
CVE-2024-36995
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a
low-privileged user that does not hold the admin or power Splunk roles could
create experimental items.
CVE-2024-36994
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a
low-privileged user that does not hold the admin or power Splunk roles could
craft a malicious payload through a View and Splunk Web Bulletin Messages that
could result in execution of unauthorized JavaScript code in the browser of a
user.
CVE-2024-36993
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a
low-privileged user that does not hold the admin or power Splunk roles could
craft a malicious payload through a Splunk Web Bulletin Messages that could
result in execution of unauthorized JavaScript code in the browser of a user.
CVE-2024-36992
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a
low-privileged user that does not hold the admin or power Splunk roles could
craft a malicious payload through a View that could result in execution of
unauthorized JavaScript code in the browser of a user. The “url” parameter of
the Dashboard element does not have proper input validation to reject invalid
URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.
CVE-2024-36991
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5,
and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/
endpoint in Splunk Enterprise on Windows. This vulnerability should only affect
Splunk Enterprise on Windows.
CVE-2024-36990
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated,
low-privileged user that does not hold the admin or power Splunk roles could
send a specially crafted HTTP POST request to the datamodel/web REST endpoint
in Splunk Enterprise, potentially causing a denial of service.
CVE-2024-36989
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user
that does not hold the admin or power Splunk roles could create notifications
in Splunk Web Bulletin Messages that all users on the instance receive.
CVE-2024-36987
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated,
low-privileged user who does not hold the admin or power Splunk roles could
upload a file with an arbitrary extension using the indexing/preview REST
endpoint.
CVE-2024-36986
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an
authenticated user could run risky commands using the permissions of a
higher-privileged user to bypass SPL safeguards for risky commands in the
Analytics Workspace. The vulnerability requires the authenticated user to phish
the victim by tricking them into initiating a request within their browser. The
authenticated user should not be able to exploit the vulnerability at will.
CVE-2024-36985
In Splunk Enterprise versions below 9.2.2, 9.1.5, and
9.0.10, a low-privileged user that does not hold the admin or power Splunk
roles could cause a Remote Code Execution through an external lookup that
references the “splunk_archiver“ application.
CVE-2024-36984
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
on Windows, an authenticated user could execute a specially crafted query that
they could then use to serialize untrusted data. The attacker could use the
query to execute arbitrary code.
CVE-2024-36983
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an
authenticated user could create an external lookup that calls a legacy internal
function. The authenticated user could use this internal function to insert
code into the Splunk platform installation directory. From there, the user could
execute arbitrary code on the Splunk platform Instance.
CVE-2024-36982
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10
and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an
attacker could trigger a null pointer reference on the cluster/config REST
endpoint, which could result in a crash of the Splunk daemon.