Splunk Enterprise and Cloud Platform Improper Access Control Vulnerability in Discover Observability Cloud App

A vulnerability exists in the Discover Splunk Observability Cloud app for Splunk Enterprise and Splunk Cloud Platform, allowing low-privileged users to access the Observability Cloud API access token. This issue affects Splunk Enterprise versions prior to 10.2.1 and 10.0.4, as well as Splunk Cloud Platform versions prior to 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12. The vulnerability arises from improper access control, enabling users without 'admin' or 'power' roles to retrieve sensitive API tokens.

Impact

Exploitation of this vulnerability allows low-privileged users to access the Observability Cloud API access token, potentially leading to unauthorized actions or access within the Observability Cloud environment.

Remediation

Users should upgrade Splunk Enterprise to versions 10.2.1 or 10.0.4. For Splunk Cloud Platform, no action is needed as Splunk is actively monitoring and patching instances. After upgrading Splunk Enterprise, it is recommended to rotate the Observability API token.