Splunk Unauthenticated Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as in Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. This vulnerability allows an unauthenticated attacker to potentially perform REST API calls on behalf of an authenticated high-privileged user. Exploitation requires the 'enableSplunkWebClientNetloc' setting in the 'web.conf' configuration file to be enabled, and may involve phishing the victim to initiate a request from their browser.

Impact

Exploitation of this vulnerability could allow an unauthenticated attacker to perform REST API calls on behalf of an authenticated high-privileged user, potentially leading to unauthorized actions or access within the application.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8 or higher. For Splunk Cloud Platform, instances are actively monitored and patched. Additionally, the 'enableSplunkWebClientNetloc' setting in the 'web.conf' configuration file can be turned off to mitigate the vulnerability.