Splunk Improper Access Control Vulnerability in Data Model Acceleration

A vulnerability exists in Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.10, and 9.3.11, as well as in Splunk Cloud Platform versions prior to 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. In these versions, a low-privileged user without 'admin' or 'power' roles, but with write permission on the app and lacking the 'accelerate_datamodel' capability, could improperly enable or disable Data Model Acceleration due to inadequate access controls.

Impact

Exploitation of this vulnerability allows low-privileged users to manipulate Data Model Acceleration settings, potentially leading to unauthorized performance optimizations or degradations in data processing and search functionalities.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.2.2, 10.0.5, 9.4.10, or 9.3.11. For Splunk Cloud Platform users, no action is needed as Splunk is actively monitoring and patching instances.