Splunk Enterprise and Cloud Platform Sensitive Information Disclosure Vulnerability

A vulnerability exists in Splunk Enterprise versions prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.10, as well as in Splunk Cloud Platform versions prior to 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123. This vulnerability allows low-privileged users, who do not have 'admin' or 'power' roles, to access the '/splunkd/__raw/servicesNS/-/-/configs/conf-passwords' REST API endpoint. This endpoint reveals hashed or plaintext passwords stored in the passwords.conf file, due to inadequate access controls. As a result, there is a risk of unauthorized exposure of sensitive credentials.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive password information.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.2.0, 10.0.3, 9.4.9, or 9.3.10. For Splunk Cloud Platform, the vendor is actively monitoring and patching instances.