Splunk Enterprise and Cloud Platform Sensitive Information Disclosure Vulnerability

A vulnerability allowing sensitive information disclosure has been identified in Splunk Enterprise versions prior to 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as in Splunk Cloud Platform versions prior to 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124. The issue arises from improper access control in the MongoClient logging channel, which allows low-privileged users without 'admin' or 'power' roles to access sensitive information by inspecting job search logs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information in the search logs.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.2.1, 10.0.4, 9.4.9, 9.3.10 or higher. For Splunk Cloud Platform, instances are actively monitored and patched. As a workaround, Splunk Web can be turned off, which disables the vulnerable logging channel. Consult the Splunk documentation for guidance on managing Splunk Web and for information on the web.conf configuration file.