Splunk Enterprise and Cloud Denial-of-Service Vulnerability via Path Traversal

A denial-of-service vulnerability has been identified in Splunk Enterprise versions prior to 9.4.3, 9.3.5, 9.2.7, and 9.1.10, as well as in Splunk Cloud Platform versions prior to 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121. This vulnerability allows a low-privileged user, lacking 'admin' or 'power' roles, to create a malicious payload through the 'User Interface - Views' configuration page. The exploitation involves a path traversal vulnerability that permits the deletion of arbitrary files within a Splunk directory, potentially leading to a denial-of-service condition. However, the low-privileged user must first phish an administrator-level victim to initiate the request, as they cannot exploit the vulnerability independently.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by allowing the deletion of arbitrary files within a Splunk directory, causing disruption to the Splunk service.

Remediation

Users are advised to upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher. For Splunk Cloud Platform, instances are actively monitored and patched by Splunk.