SB2024070165 - Multiple vulnerabilities in Splunk Enterprise
Published: July 1, 2024 Updated: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-36991)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the /modules/messaging/ endpoint. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability affects Splunk Enterprise on Windows.
2) Stored cross-site scripting (CVE-ID: CVE-2024-36997)
The disclosed vulnerability allows a user attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data at the conf-web/settings REST endpoint A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
3) Information disclosure (CVE-ID: CVE-2024-36996)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can enumerate application's users.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-36995)
The vulnerability allows a remote user to create experimental roles.
The vulnerability exists due to application does not properly impose security restrictions. A remote low-privileged user can create experimental items.
5) Stored cross-site scripting (CVE-ID: CVE-2024-36994)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling View and Splunk Web Bulletin Messages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
6) Cross-site scripting (CVE-ID: CVE-2024-36993)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling Splunk Web Bulletin Messages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
7) Stored cross-site scripting (CVE-ID: CVE-2024-36992)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling Splunk Web Bulletin Messages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
8) Infinite loop (CVE-ID: CVE-2024-36990)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when handling requests within the datamodel/web REST endpoint. A remote user can send specially crafted requests to the application and perform a denial of service (DoS) attack.
9) NULL pointer dereference (CVE-ID: CVE-2024-36982)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the cluster/config REST endpoint. A remote attacker can send specially crafted request to the application and perform a denial of service (DoS) attack.
10) Improper access control (CVE-ID: CVE-2024-36989)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and create notifications in Splunk Web Bulletin Messages.
11) Arbitrary file upload (CVE-ID: CVE-2024-36987)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the indexing/preview REST endpoint. A remote user can upload a malicious XML file and use it to perform XSLT injection attacks.
12) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-36986)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions. A remote user can execute dangerous commands by manipulating the Search ID and using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace.
13) Code Injection (CVE-ID: CVE-2024-36985)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in copybuckets.py. A remote user can send a specially crafted request and execute arbitrary code on the target system.
14) Deserialization of Untrusted Data (CVE-ID: CVE-2024-36984)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.
Note, the vulnerability affects Splunk Enterprise on Windows.
15) Command Injection (CVE-ID: CVE-2024-36983)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation when using external lookups. A remote user can create an external lookup that calls a legacy internal function and execute arbitrary commands on the system.
Remediation
Install update from vendor's website.
References
- https://advisory.splunk.com/advisories/SVD-2024-0711
- https://research.splunk.com/application/e7c2b064-524e-4d65-8002-efce808567aa
- https://advisory.splunk.com/advisories/SVD-2024-0717
- https://research.splunk.com/application/ed1209ef-228d-4dab-9856-be9369925a5c
- https://advisory.splunk.com/advisories/SVD-2024-0716
- https://advisory.splunk.com/advisories/SVD-2024-0715
- https://research.splunk.com/application/84afda04-0cd6-466b-869e-70d6407d0a34
- https://advisory.splunk.com/advisories/SVD-2024-0714
- https://research.splunk.com/application/b0a67520-ae82-4cf6-b04e-9f6cce56830d
- https://advisory.splunk.com/advisories/SVD-2024-0713
- https://research.splunk.com/application/fd852b27-1882-4505-9f2c-64dfb96f4fc1
- https://advisory.splunk.com/advisories/SVD-2024-0712
- https://advisory.splunk.com/advisories/SVD-2024-0710
- https://research.splunk.com/application/45766810-dbb2-44d4-b889-b4ba3ee0d1f5
- https://advisory.splunk.com/advisories/SVD-2024-0702
- https://advisory.splunk.com/advisories/SVD-2024-0709
- https://research.splunk.com/application/4b7f368f-4322-47f8-8363-2c466f0b7030
- https://advisory.splunk.com/advisories/SVD-2024-0707
- https://advisory.splunk.com/advisories/SVD-2024-0706
- https://research.splunk.com/application/1cf58ae1-9177-40b8-a26c-8966040f11ae/
- https://advisory.splunk.com/advisories/SVD-2024-0705
- https://research.splunk.com/application/8598f9de-bba8-42a4-8ef0-12e1adda4131
- https://advisory.splunk.com/advisories/SVD-2024-0704
- https://advisory.splunk.com/advisories/SVD-2024-0703