Splunk Open Redirect Vulnerability in Web Login Endpoint

An open redirect vulnerability has been identified in Splunk Enterprise versions prior to 10.0.1, 9.4.5, 9.3.7, 9.2.9, and in Splunk Cloud Platform versions prior to 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121. This vulnerability allows an unauthenticated attacker to create a malicious URL using the 'return_to' parameter of the Splunk Web login endpoint. When an authenticated user clicks on the link, it can lead to an unvalidated redirect to an external malicious site. The attacker must deceive the victim into initiating the request from their browser, as they cannot exploit the vulnerability directly.

Impact

Exploitation of this vulnerability could lead to an unvalidated open redirect, allowing users to be sent to malicious external sites without proper validation.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.0.1, 9.4.5, 9.3.7, 9.2.9 or higher. For Splunk Cloud Platform, instances are actively monitored and patched. As a workaround, Splunk Web can be disabled.