Search criteria
10 vulnerabilities found for Splunk Enterprise Cloud by Splunk
CVE-2025-20370 (GCVE-0-2025-20370)
Vulnerability from cvelistv5 – Published: 2025-10-01 16:07 – Updated: 2025-10-01 17:36
VLAI?
Title
Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
Severity ?
4.9 (Medium)
CWE
- CWE-400 - The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
STÖK / Fredrik Alexandersson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:44.584017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:36:09.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.108",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.118",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.123",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:07:57.541Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1005"
}
],
"source": {
"advisory": "SVD-2025-1005"
},
"title": "Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20370",
"datePublished": "2025-10-01T16:07:57.541Z",
"dateReserved": "2024-10-10T19:15:13.262Z",
"dateUpdated": "2025-10-01T17:36:09.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20322 (GCVE-0-2025-20322)
Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:04
VLAI?
Title
Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:04:29.197904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:04:40.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:05.482Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
}
],
"source": {
"advisory": "SVD-2025-0705"
},
"title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20322",
"datePublished": "2025-07-07T17:48:05.482Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:04:40.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20321 (GCVE-0-2025-20321)
Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:07
VLAI?
Title
Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.
Severity ?
6.5 (Medium)
CWE
- CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:07:38.792613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:07:50.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.114",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:03.146Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
}
],
"source": {
"advisory": "SVD-2025-0704"
},
"title": "Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20321",
"datePublished": "2025-07-07T17:48:03.146Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:07:50.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20324 (GCVE-0-2025-20324)
Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-08 13:36
VLAI?
Title
Improper Access Control in System Source Types Configuration in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.
Severity ?
5.4 (Medium)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.2
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:36:47.709223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:36:57.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.2",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:00.484Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
}
],
"source": {
"advisory": "SVD-2025-0707"
},
"title": "Improper Access Control in System Source Types Configuration in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20324",
"datePublished": "2025-07-07T17:48:00.484Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:36:57.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20320 (GCVE-0-2025-20320)
Vulnerability from cvelistv5 – Published: 2025-07-07 17:47 – Updated: 2025-07-08 13:37
VLAI?
Title
Denial of Service (DoS) through “User Interface - Views“ configuration page in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity ?
6.3 (Medium)
CWE
- CWE-35 - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:37:10.108433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:37:17.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.107",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.117",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.121",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \u0027.../...//\u0027 (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:47:59.569Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
}
],
"source": {
"advisory": "SVD-2025-0703"
},
"title": "Denial of Service (DoS) through \u201cUser Interface - Views\u201c configuration page in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20320",
"datePublished": "2025-07-07T17:47:59.569Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:37:17.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20370 (GCVE-0-2025-20370)
Vulnerability from nvd – Published: 2025-10-01 16:07 – Updated: 2025-10-01 17:36
VLAI?
Title
Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
Severity ?
4.9 (Medium)
CWE
- CWE-400 - The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
STÖK / Fredrik Alexandersson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:44.584017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:36:09.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.108",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.118",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.123",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:07:57.541Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1005"
}
],
"source": {
"advisory": "SVD-2025-1005"
},
"title": "Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20370",
"datePublished": "2025-10-01T16:07:57.541Z",
"dateReserved": "2024-10-10T19:15:13.262Z",
"dateUpdated": "2025-10-01T17:36:09.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20322 (GCVE-0-2025-20322)
Vulnerability from nvd – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:04
VLAI?
Title
Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:04:29.197904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:04:40.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:05.482Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
}
],
"source": {
"advisory": "SVD-2025-0705"
},
"title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20322",
"datePublished": "2025-07-07T17:48:05.482Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:04:40.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20321 (GCVE-0-2025-20321)
Vulnerability from nvd – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:07
VLAI?
Title
Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.
Severity ?
6.5 (Medium)
CWE
- CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:07:38.792613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:07:50.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.114",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:03.146Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
}
],
"source": {
"advisory": "SVD-2025-0704"
},
"title": "Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20321",
"datePublished": "2025-07-07T17:48:03.146Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:07:50.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20324 (GCVE-0-2025-20324)
Vulnerability from nvd – Published: 2025-07-07 17:48 – Updated: 2025-07-08 13:36
VLAI?
Title
Improper Access Control in System Source Types Configuration in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.
Severity ?
5.4 (Medium)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.2
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:36:47.709223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:36:57.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.2",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:00.484Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
}
],
"source": {
"advisory": "SVD-2025-0707"
},
"title": "Improper Access Control in System Source Types Configuration in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20324",
"datePublished": "2025-07-07T17:48:00.484Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:36:57.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20320 (GCVE-0-2025-20320)
Vulnerability from nvd – Published: 2025-07-07 17:47 – Updated: 2025-07-08 13:37
VLAI?
Title
Denial of Service (DoS) through “User Interface - Views“ configuration page in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity ?
6.3 (Medium)
CWE
- CWE-35 - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
9.4 , < 9.4.3
(custom)
Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:37:10.108433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:37:17.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.107",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.117",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.121",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \u0027.../...//\u0027 (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:47:59.569Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
}
],
"source": {
"advisory": "SVD-2025-0703"
},
"title": "Denial of Service (DoS) through \u201cUser Interface - Views\u201c configuration page in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20320",
"datePublished": "2025-07-07T17:47:59.569Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:37:17.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}