Splunk Enterprise and Cloud Platform Risky Command Safeguards Bypass Vulnerability

A vulnerability exists in Splunk Enterprise versions prior to 9.4.1, 9.3.3, 9.2.5, and 9.1.8, as well as in Splunk Cloud Platform versions prior to 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214. This vulnerability allows low-privileged users, who do not have 'admin' or 'power' roles, to bypass SPL safeguards for risky commands on the '/services/streams/search' endpoint. By using the 'q' parameter, these users can run saved searches with risky commands, leveraging the permissions of higher-privileged users. Exploitation requires phishing the victim to initiate the request in their browser, as the authenticated user cannot exploit the vulnerability independently.

Impact

Exploitation of this vulnerability allows for the bypass of Splunk's safeguards on risky commands, potentially leading to unauthorized access or execution of commands with elevated privileges.

Remediation

Users of Splunk Enterprise should upgrade to versions 9.4.1, 9.3.3, 9.2.5, or 9.1.8. For Splunk Cloud Platform users, Splunk is actively monitoring and patching instances. Additionally, turning off Splunk Web can mitigate the vulnerability.