Splunk Enterprise and Cloud Platform Risky Command Safeguards Bypass Vulnerability

A vulnerability exists in Splunk Enterprise versions prior to 9.3.3, 9.2.5, and 9.1.8, as well as in Splunk Cloud Platform versions prior to 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208, and 9.1.2308.212. This vulnerability allows low-privileged users, who do not have 'admin' or 'power' roles, to bypass SPL safeguards for risky commands on the '/app/search/search' endpoint. By using the 's' parameter, these users can execute saved searches with risky commands, leveraging the permissions of higher-privileged users. The exploitation requires phishing the victim to initiate the request through their browser, as the authenticated user cannot exploit the vulnerability independently.

Impact

Exploitation of this vulnerability allows for the bypass of command safeguards, enabling low-privileged users to execute risky commands with elevated permissions on the affected Splunk instance.

Remediation

Users of Splunk Enterprise should upgrade to versions 9.4.0, 9.3.3, 9.2.5, or 9.1.8. For Splunk Cloud Platform users, no action is needed as Splunk is actively monitoring and patching instances. Additionally, turning off Splunk Web can mitigate the vulnerability.