Splunk Enterprise and Cloud Platform Risky Command Safeguards Bypass Vulnerability

A vulnerability exists in Splunk Enterprise versions prior to 10.0.1, 9.4.5, 9.3.7, and 9.2.9, as well as in Splunk Cloud Platform versions prior to 9.3.2411.116, 9.3.2408.124, 10.0.2503.5, and 10.1.2507.1. This vulnerability allows low-privileged users, who do not have 'admin' or 'power' roles, to bypass Splunk's safeguards for risky commands. By using character encoding to manipulate the 'q' parameter in the '/services/streams/search' endpoint, these users can execute saved searches with risky commands under the permissions of higher-privileged users. Exploitation requires phishing the victim into initiating a request from their browser.

Impact

Exploitation of this vulnerability allows low-privileged users to bypass command safeguards and execute risky commands with elevated privileges, potentially leading to unauthorized actions or access within Splunk.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.0.1, 9.4.5, 9.3.7, 9.2.9 or higher. For Splunk Cloud Platform, instances are being actively monitored and patched. Additionally, turning off Splunk Web can mitigate the vulnerability.