cvelistv5 - cve-2025-20322

CVE-2025-20322 (GCVE-0-2025-20322)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:04

Title

Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0705

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.3 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Enterprise Cloud

Affected: 9.3.2411 , < 9.3.2411.104 (custom)
Affected: 9.3.2408 , < 9.3.2408.113 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Credits

Anton (therceman)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:04:29.197904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:04:40.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:05.482Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0705"
      },
      "title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20322",
    "datePublished": "2025-07-07T17:48:05.482Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:04:40.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-20322\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2025-07-07T18:15:26.307\",\"lastModified\":\"2025-07-21T20:54:57.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.\"},{\"lang\":\"es\",\"value\":\"En las versiones de Splunk Enterprise anteriores a 9.4.3, 9.3.5, 9.2.7 y 9.1.10, y Splunk Cloud Platform anteriores a 9.3.2411.104, 9.3.2408.113 y 9.2.2406.119, un atacante no autenticado podr\u00eda enviar un comando de b\u00fasqueda SPL especialmente manipulado que podr\u00eda desencadenar un reinicio progresivo en el cl\u00faster del cabezal de b\u00fasqueda a trav\u00e9s de un Cross-Site Request Forgery (CSRF), lo que podr\u00eda provocar una denegaci\u00f3n de servicio (DoS).\u003cbr\u003e\u003cbr\u003eLa vulnerabilidad requiere que el atacante suplante de identidad (phishing) a la v\u00edctima de nivel de administrador enga\u00f1\u00e1ndola para que inicie una solicitud dentro de su navegador. El atacante no deber\u00eda poder explotar la vulnerabilidad a voluntad.\u003cbr\u003e\u003cbr\u003eConsulte [C\u00f3mo funciona el reinicio continuo](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) para obtener m\u00e1s informaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"9.1.0\",\"versionEndExcluding\":\"9.1.10\",\"matchCriteriaId\":\"F363265C-BE8B-4D9E-BCD7-52D75D4454BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"9.2.0\",\"versionEndExcluding\":\"9.2.7\",\"matchCriteriaId\":\"16D7B94B-6E57-4462-BDB1-884E3268967D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"9.3.0\",\"versionEndExcluding\":\"9.3.5\",\"matchCriteriaId\":\"2AE238E0-742D-4595-8F72-C2D7256718EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndExcluding\":\"9.4.3\",\"matchCriteriaId\":\"6E95070D-E7E2-40F7-8282-0964FC1664F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.2406\",\"versionEndExcluding\":\"9.2.2406.119\",\"matchCriteriaId\":\"6591B175-F288-4EE6-809A-A2E9B271EDC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.2408\",\"versionEndExcluding\":\"9.3.2408.113\",\"matchCriteriaId\":\"F337F0F2-005E-4181-98D3-28DAB3C36BE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.2411\",\"versionEndExcluding\":\"9.3.2411.104\",\"matchCriteriaId\":\"0450CB69-409C-4289-B210-CEB463C77C13\"}]}]}],\"references\":[{\"url\":\"https://advisory.splunk.com/advisories/SVD-2025-0705\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"Splunk Enterprise\", \"vendor\": \"Splunk\", \"versions\": [{\"version\": \"9.4\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.4.3\"}, {\"version\": \"9.3\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.3.5\"}, {\"version\": \"9.2\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.2.7\"}, {\"version\": \"9.1\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.1.10\"}]}, {\"product\": \"Splunk Enterprise Cloud\", \"vendor\": \"Splunk\", \"versions\": [{\"version\": \"9.3.2411\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.3.2411.104\"}, {\"version\": \"9.3.2408\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.3.2408.113\"}, {\"version\": \"9.2.2406\", \"status\": \"affected\", \"versionType\": \"custom\", \"lessThan\": \"9.2.2406.119\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.\"}], \"value\": \"In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.\"}], \"references\": [{\"url\": \"https://advisory.splunk.com/advisories/SVD-2025-0705\"}], \"title\": \"Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise\", \"datePublic\": \"2025-07-07T00:00:00.000Z\", \"metrics\": [{\"cvssV3_1\": {\"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"version\": \"3.1\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"description\": \"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.\", \"cweId\": \"CWE-352\"}]}], \"source\": {\"advisory\": \"SVD-2025-0705\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Anton (therceman)\"}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2025-07-07T17:48:05.482Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20322\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-07T18:04:29.197904Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-07T18:04:32.699Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-20322\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"cisco\", \"dateReserved\": \"2024-10-10T19:15:13.254Z\", \"datePublished\": \"2025-07-07T17:48:05.482Z\", \"dateUpdated\": \"2025-07-07T18:04:40.952Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-20322

Vulnerability from fkie_nvd - Published: 2025-07-07 18:15 - Updated: 2025-07-21 20:54

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	psirt@cisco.com	https://advisory.splunk.com/advisories/SVD-2025-0705	Vendor Advisory

Impacted products

Vendor	Product	Version
splunk	splunk	*
splunk	splunk	*
splunk	splunk	*
splunk	splunk	*
splunk	splunk_cloud_platform	*
splunk	splunk_cloud_platform	*
splunk	splunk_cloud_platform	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "F363265C-BE8B-4D9E-BCD7-52D75D4454BA",
              "versionEndExcluding": "9.1.10",
              "versionStartIncluding": "9.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "16D7B94B-6E57-4462-BDB1-884E3268967D",
              "versionEndExcluding": "9.2.7",
              "versionStartIncluding": "9.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "2AE238E0-742D-4595-8F72-C2D7256718EA",
              "versionEndExcluding": "9.3.5",
              "versionStartIncluding": "9.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "6E95070D-E7E2-40F7-8282-0964FC1664F4",
              "versionEndExcluding": "9.4.3",
              "versionStartIncluding": "9.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6591B175-F288-4EE6-809A-A2E9B271EDC1",
              "versionEndExcluding": "9.2.2406.119",
              "versionStartIncluding": "9.2.2406",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F337F0F2-005E-4181-98D3-28DAB3C36BE6",
              "versionEndExcluding": "9.3.2408.113",
              "versionStartIncluding": "9.3.2408",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0450CB69-409C-4289-B210-CEB463C77C13",
              "versionEndExcluding": "9.3.2411.104",
              "versionStartIncluding": "9.3.2411",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
    },
    {
      "lang": "es",
      "value": "En las versiones de Splunk Enterprise anteriores a 9.4.3, 9.3.5, 9.2.7 y 9.1.10, y Splunk Cloud Platform anteriores a 9.3.2411.104, 9.3.2408.113 y 9.2.2406.119, un atacante no autenticado podr\u00eda enviar un comando de b\u00fasqueda SPL especialmente manipulado que podr\u00eda desencadenar un reinicio progresivo en el cl\u00faster del cabezal de b\u00fasqueda a trav\u00e9s de un Cross-Site Request Forgery (CSRF), lo que podr\u00eda provocar una denegaci\u00f3n de servicio (DoS).\u003cbr\u003e\u003cbr\u003eLa vulnerabilidad requiere que el atacante suplante de identidad (phishing) a la v\u00edctima de nivel de administrador enga\u00f1\u00e1ndola para que inicie una solicitud dentro de su navegador. El atacante no deber\u00eda poder explotar la vulnerabilidad a voluntad.\u003cbr\u003e\u003cbr\u003eConsulte [C\u00f3mo funciona el reinicio continuo](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) para obtener m\u00e1s informaci\u00f3n."
    }
  ],
  "id": "CVE-2025-20322",
  "lastModified": "2025-07-21T20:54:57.743",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-07-07T18:15:26.307",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    }
  ]
}

CERTFR-2025-AVI-0563

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2411.x antérieures à 9.3.2411.107
Splunk	SOAR	Splunk SOAR versions antérieures à 6.4.1
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.4.x antérieures à 9.4.3
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.2.x antérieures à 9.2.7
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.3.x antérieures à 9.3.5
Splunk	Splunk DB Connect	Splunk DB Connect versions antérieures à 4.0.0
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.3.x antérieures à 9.3.5
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.4.x antérieures à 9.4.3
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2408.x antérieures à 9.3.2408.117
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.1.x antérieures à 9.1.10
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.2.x antérieures à 9.2.7
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.2.2406.x antérieures à 9.2.2406.121
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.1.x antérieures à 9.1.10

References

Title

Publication Time

Tags

Bulletin de sécurité Splunk SVD-2025-0708	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0703	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0701	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0706	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0705	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0702	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0712	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0711	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0707	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0710	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0709	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0704	2025-07-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2411.x ant\u00e9rieures \u00e0 9.3.2411.107",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk SOAR versions ant\u00e9rieures \u00e0 6.4.1",
      "product": {
        "name": "SOAR",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk DB Connect versions ant\u00e9rieures \u00e0 4.0.0",
      "product": {
        "name": "Splunk DB Connect",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2408.x ant\u00e9rieures \u00e0 9.3.2408.117",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.2.2406.x ant\u00e9rieures \u00e0 9.2.2406.121",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-9681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-9681"
    },
    {
      "name": "CVE-2022-30187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-30187"
    },
    {
      "name": "CVE-2024-12797",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
    },
    {
      "name": "CVE-2024-2466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-2466"
    },
    {
      "name": "CVE-2025-27414",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27414"
    },
    {
      "name": "CVE-2025-20324",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20324"
    },
    {
      "name": "CVE-2025-23388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23388"
    },
    {
      "name": "CVE-2024-13176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-13176"
    },
    {
      "name": "CVE-2025-20319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20319"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2023-5363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
    },
    {
      "name": "CVE-2020-28458",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28458"
    },
    {
      "name": "CVE-2025-20321",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20321"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-20325",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20325"
    },
    {
      "name": "CVE-2024-11053",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-11053"
    },
    {
      "name": "CVE-2025-23387",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23387"
    },
    {
      "name": "CVE-2024-7264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
    },
    {
      "name": "CVE-2021-23445",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23445"
    },
    {
      "name": "CVE-2024-48949",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48949"
    },
    {
      "name": "CVE-2025-23389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23389"
    },
    {
      "name": "CVE-2024-21538",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
    },
    {
      "name": "CVE-2022-35583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35583"
    },
    {
      "name": "CVE-2025-22868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
    },
    {
      "name": "CVE-2024-52804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
    },
    {
      "name": "CVE-2025-20300",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20300"
    },
    {
      "name": "CVE-2024-45801",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2025-20323",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20323"
    },
    {
      "name": "CVE-2024-9143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-9143"
    },
    {
      "name": "CVE-2024-38999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38999"
    },
    {
      "name": "CVE-2025-20320",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20320"
    },
    {
      "name": "CVE-2024-2398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398"
    },
    {
      "name": "CVE-2024-45230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45230"
    },
    {
      "name": "CVE-2024-49767",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49767"
    },
    {
      "name": "CVE-2024-47875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
    },
    {
      "name": "CVE-2025-20322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20322"
    },
    {
      "name": "CVE-2024-21272",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21272"
    },
    {
      "name": "CVE-2025-22869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
    },
    {
      "name": "CVE-2024-8096",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8096"
    },
    {
      "name": "CVE-2025-22870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
    },
    {
      "name": "CVE-2024-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
    },
    {
      "name": "CVE-2024-21090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21090"
    },
    {
      "name": "CVE-2013-7489",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-7489"
    },
    {
      "name": "CVE-2025-27789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
    },
    {
      "name": "CVE-2025-0725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0725"
    },
    {
      "name": "CVE-2024-34064",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34064"
    },
    {
      "name": "CVE-2024-52616",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52616"
    },
    {
      "name": "CVE-2024-0853",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-0853"
    },
    {
      "name": "CVE-2025-22952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22952"
    },
    {
      "name": "CVE-2024-32002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-32002"
    },
    {
      "name": "CVE-2025-0167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0167"
    },
    {
      "name": "CVE-2024-6345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0563",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-07-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
  "vendor_advisories": [
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0708",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0708"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0703",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0701",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0701"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0706",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0706"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0705",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0702",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0702"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0712",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0712"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0711",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0711"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0707",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0710",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0710"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0709",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0709"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0704",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
    }
  ]
}

CERTFR-2025-AVI-0563

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2411.x antérieures à 9.3.2411.107
Splunk	SOAR	Splunk SOAR versions antérieures à 6.4.1
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.4.x antérieures à 9.4.3
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.2.x antérieures à 9.2.7
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.3.x antérieures à 9.3.5
Splunk	Splunk DB Connect	Splunk DB Connect versions antérieures à 4.0.0
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.3.x antérieures à 9.3.5
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.4.x antérieures à 9.4.3
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.3.2408.x antérieures à 9.3.2408.117
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.1.x antérieures à 9.1.10
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.2.x antérieures à 9.2.7
Splunk	Splunk Enterprise	Splunk Enterprise Cloud versions 9.2.2406.x antérieures à 9.2.2406.121
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.1.x antérieures à 9.1.10

References

Title

Publication Time

Tags

Bulletin de sécurité Splunk SVD-2025-0708	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0703	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0701	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0706	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0705	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0702	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0712	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0711	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0707	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0710	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0709	2025-07-07	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0704	2025-07-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2411.x ant\u00e9rieures \u00e0 9.3.2411.107",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk SOAR versions ant\u00e9rieures \u00e0 6.4.1",
      "product": {
        "name": "SOAR",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk DB Connect versions ant\u00e9rieures \u00e0 4.0.0",
      "product": {
        "name": "Splunk DB Connect",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.3.2408.x ant\u00e9rieures \u00e0 9.3.2408.117",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise Cloud versions 9.2.2406.x ant\u00e9rieures \u00e0 9.2.2406.121",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Universal Forwarder versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-9681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-9681"
    },
    {
      "name": "CVE-2022-30187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-30187"
    },
    {
      "name": "CVE-2024-12797",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
    },
    {
      "name": "CVE-2024-2466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-2466"
    },
    {
      "name": "CVE-2025-27414",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27414"
    },
    {
      "name": "CVE-2025-20324",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20324"
    },
    {
      "name": "CVE-2025-23388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23388"
    },
    {
      "name": "CVE-2024-13176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-13176"
    },
    {
      "name": "CVE-2025-20319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20319"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2023-5363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
    },
    {
      "name": "CVE-2020-28458",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28458"
    },
    {
      "name": "CVE-2025-20321",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20321"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-20325",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20325"
    },
    {
      "name": "CVE-2024-11053",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-11053"
    },
    {
      "name": "CVE-2025-23387",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23387"
    },
    {
      "name": "CVE-2024-7264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
    },
    {
      "name": "CVE-2021-23445",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23445"
    },
    {
      "name": "CVE-2024-48949",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48949"
    },
    {
      "name": "CVE-2025-23389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23389"
    },
    {
      "name": "CVE-2024-21538",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
    },
    {
      "name": "CVE-2022-35583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35583"
    },
    {
      "name": "CVE-2025-22868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
    },
    {
      "name": "CVE-2024-52804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
    },
    {
      "name": "CVE-2025-20300",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20300"
    },
    {
      "name": "CVE-2024-45801",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2025-20323",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20323"
    },
    {
      "name": "CVE-2024-9143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-9143"
    },
    {
      "name": "CVE-2024-38999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38999"
    },
    {
      "name": "CVE-2025-20320",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20320"
    },
    {
      "name": "CVE-2024-2398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398"
    },
    {
      "name": "CVE-2024-45230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45230"
    },
    {
      "name": "CVE-2024-49767",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49767"
    },
    {
      "name": "CVE-2024-47875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
    },
    {
      "name": "CVE-2025-20322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20322"
    },
    {
      "name": "CVE-2024-21272",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21272"
    },
    {
      "name": "CVE-2025-22869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
    },
    {
      "name": "CVE-2024-8096",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8096"
    },
    {
      "name": "CVE-2025-22870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
    },
    {
      "name": "CVE-2024-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
    },
    {
      "name": "CVE-2024-21090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21090"
    },
    {
      "name": "CVE-2013-7489",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-7489"
    },
    {
      "name": "CVE-2025-27789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
    },
    {
      "name": "CVE-2025-0725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0725"
    },
    {
      "name": "CVE-2024-34064",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34064"
    },
    {
      "name": "CVE-2024-52616",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52616"
    },
    {
      "name": "CVE-2024-0853",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-0853"
    },
    {
      "name": "CVE-2025-22952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22952"
    },
    {
      "name": "CVE-2024-32002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-32002"
    },
    {
      "name": "CVE-2025-0167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0167"
    },
    {
      "name": "CVE-2024-6345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0563",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-07-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
  "vendor_advisories": [
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0708",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0708"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0703",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0701",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0701"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0706",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0706"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0705",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0702",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0702"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0712",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0712"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0711",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0711"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0707",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0710",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0710"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0709",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0709"
    },
    {
      "published_at": "2025-07-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0704",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
    }
  ]
}

NCSC-2025-0212

Vulnerability from csaf_ncscnl - Published: 2025-07-08 12:03 - Updated: 2025-07-08 12:03

Summary

Kwetsbaarheden verholpen in Splunk Enterprise en Splunk Cloud Platform

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Splunk heeft kwetsbaarheden verholpen in Splunk Enterprise en Splunk Cloud Platform.

Interpretaties

De kwetsbaarheden in Splunk Enterprise en Splunk Cloud Platform stellen zowel low-privileged als high-privileged gebruikers in staat om ongeautoriseerde acties uit te voeren, zoals het onderdrukken van waarschuwingen, het uitvoeren van externe commando's, en het veroorzaken van een denial-of-service. Daarnaast kunnen ongeauthenticeerde aanvallers kwetsbaarheden misbruiken om wijzigingen aan te brengen in de lidmaatschapsconfiguraties van een Splunk Search Head Cluster of om gevoelige informatie bloot te stellen. De exploitatie van deze kwetsbaarheden vereist vaak sociale-engineeringtechnieken, wat de noodzaak van waakzaamheid onder gebruikers benadrukt.

Oplossingen

Splunk heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-35

Path Traversal: '.../...//'

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-284

Improper Access Control

CWE-863

Incorrect Authorization

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Splunk heeft kwetsbaarheden verholpen in Splunk Enterprise en Splunk Cloud Platform.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in Splunk Enterprise en Splunk Cloud Platform stellen zowel low-privileged als high-privileged gebruikers in staat om ongeautoriseerde acties uit te voeren, zoals het onderdrukken van waarschuwingen, het uitvoeren van externe commando\u0027s, en het veroorzaken van een denial-of-service. Daarnaast kunnen ongeauthenticeerde aanvallers kwetsbaarheden misbruiken om wijzigingen aan te brengen in de lidmaatschapsconfiguraties van een Splunk Search Head Cluster of om gevoelige informatie bloot te stellen. De exploitatie van deze kwetsbaarheden vereist vaak sociale-engineeringtechnieken, wat de noodzaak van waakzaamheid onder gebruikers benadrukt.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Splunk heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Path Traversal: \u0027.../...//\u0027",
        "title": "CWE-35"
      },
      {
        "category": "general",
        "text": "Cross-Site Request Forgery (CSRF)",
        "title": "CWE-352"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
        "title": "CWE-78"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0702"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0703"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0704"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0705"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0706"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0707"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0708"
      },
      {
        "category": "external",
        "summary": "Reference - certbundde",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0709"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Splunk Enterprise en Splunk Cloud Platform",
    "tracking": {
      "current_release_date": "2025-07-08T12:03:17.100858Z",
      "generator": {
        "date": "2025-06-05T14:45:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.1"
        }
      },
      "id": "NCSC-2025-0212",
      "initial_release_date": "2025-07-08T12:03:17.100858Z",
      "revision_history": [
        {
          "date": "2025-07-08T12:03:17.100858Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/cloud \u003c9.2.2406.121",
                "product": {
                  "name": "vers:unknown/cloud \u003c9.2.2406.121",
                  "product_id": "CSAFPID-2962768"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/cloud \u003c9.3.2408.117",
                "product": {
                  "name": "vers:unknown/cloud \u003c9.3.2408.117",
                  "product_id": "CSAFPID-2962769"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/cloud \u003c9.3.2411.107",
                "product": {
                  "name": "vers:unknown/cloud \u003c9.3.2411.107",
                  "product_id": "CSAFPID-2962767"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/9.1|\u003c9.1.10",
                "product": {
                  "name": "vers:unknown/9.1|\u003c9.1.10",
                  "product_id": "CSAFPID-2960648"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/9.2|\u003c9.2.7",
                "product": {
                  "name": "vers:unknown/9.2|\u003c9.2.7",
                  "product_id": "CSAFPID-2960647"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/9.3|\u003c9.3.5",
                "product": {
                  "name": "vers:unknown/9.3|\u003c9.3.5",
                  "product_id": "CSAFPID-2960646"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/9.4|\u003c9.4.3",
                "product": {
                  "name": "vers:unknown/9.4|\u003c9.4.3",
                  "product_id": "CSAFPID-2960645"
                }
              }
            ],
            "category": "product_name",
            "name": "Splunk Enterprise"
          }
        ],
        "category": "vendor",
        "name": "Splunk"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20300",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20300 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20300.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20300"
    },
    {
      "cve": "CVE-2025-20319",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "title": "CWE-78"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20319 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20319.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20319"
    },
    {
      "cve": "CVE-2025-20320",
      "cwe": {
        "id": "CWE-35",
        "name": "Path Traversal: \u0027.../...//\u0027"
      },
      "notes": [
        {
          "category": "other",
          "text": "Path Traversal: \u0027.../...//\u0027",
          "title": "CWE-35"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20320 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20320.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20320"
    },
    {
      "cve": "CVE-2025-20321",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Cross-Site Request Forgery (CSRF)",
          "title": "CWE-352"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20321 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20321.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20321"
    },
    {
      "cve": "CVE-2025-20322",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Cross-Site Request Forgery (CSRF)",
          "title": "CWE-352"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20322 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20322.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20322"
    },
    {
      "cve": "CVE-2025-20323",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20323 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20323.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20323"
    },
    {
      "cve": "CVE-2025-20324",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20324 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20324.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20324"
    },
    {
      "cve": "CVE-2025-20325",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2962768",
          "CSAFPID-2962769",
          "CSAFPID-2962767",
          "CSAFPID-2960648",
          "CSAFPID-2960647",
          "CSAFPID-2960646",
          "CSAFPID-2960645"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20325 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20325.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2962768",
            "CSAFPID-2962769",
            "CSAFPID-2962767",
            "CSAFPID-2960648",
            "CSAFPID-2960647",
            "CSAFPID-2960646",
            "CSAFPID-2960645"
          ]
        }
      ],
      "title": "CVE-2025-20325"
    }
  ]
}

GHSA-934H-HVXG-J69V

Vulnerability from github – Published: 2025-07-07 18:32 – Updated: 2025-07-07 18:32

Details

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).

The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

See How rolling restart works for more information.

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-20322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-07T18:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.",
  "id": "GHSA-934h-hvxg-j69v",
  "modified": "2025-07-07T18:32:28Z",
  "published": "2025-07-07T18:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20322"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-20322 (GCVE-0-2025-20322)

FKIE_CVE-2025-20322

CERTFR-2025-AVI-0563

Solutions

CERTFR-2025-AVI-0563

Solutions

NCSC-2025-0212

GHSA-934H-HVXG-J69V

Tags

Sightings

Nomenclature