csaf_certbund - wid-sec-w-2025-1473

https://advisory.splunk.com/advisories/SVD-2025-0704

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Splunk Enterprise erm\u00f6glicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Splunk Enterprise und Cloud Platform ausnutzen, um Dateien zu manipulieren, beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu verursachen und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1473 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1473.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1473 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1473"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0702"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0703"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0704"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0705"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0706"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0707"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0708"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0709"
      }
    ],
    "source_lang": "en-US",
    "title": "Splunk Enterprise und Cloud-Plattform: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-07T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-08T09:44:41.689+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1473",
      "initial_release_date": "2025-07-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.2.7",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.2.7",
                  "product_id": "T045088"
                }
              },
              {
                "category": "product_version",
                "name": "9.2.7",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.2.7",
                  "product_id": "T045088-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.2.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.4.3",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.4.3",
                  "product_id": "T045094"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.3",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.4.3",
                  "product_id": "T045094-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.3.5",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.3.5",
                  "product_id": "T045095"
                }
              },
              {
                "category": "product_version",
                "name": "9.3.5",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.3.5",
                  "product_id": "T045095-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.3.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.1.10",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.1.10",
                  "product_id": "T045096"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.10",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.1.10",
                  "product_id": "T045096-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.1.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.107",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.107",
                  "product_id": "T045097"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.107",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.107",
                  "product_id": "T045097-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.107"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.117",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.117",
                  "product_id": "T045098"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.117",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.117",
                  "product_id": "T045098-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.117"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.2.2406.121",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.2.2406.121",
                  "product_id": "T045099"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.2.2406.121",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.2.2406.121",
                  "product_id": "T045099-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.2.2406.121"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.104",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.104",
                  "product_id": "T045100"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.104",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.104",
                  "product_id": "T045100-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.104"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.113",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.113",
                  "product_id": "T045101"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.113",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.113",
                  "product_id": "T045101-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.113"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.114",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.114",
                  "product_id": "T045103"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.114",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.114",
                  "product_id": "T045103-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.114"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.103",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.103",
                  "product_id": "T045105"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.103",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.103",
                  "product_id": "T045105-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.103"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.112",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.112",
                  "product_id": "T045106"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.112",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.112",
                  "product_id": "T045106-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.112"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.2.2406.119",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.2.2406.119",
                  "product_id": "T045107"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.2.2406.119",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.2.2406.119",
                  "product_id": "T045107-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.2.2406.119"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Splunk Enterprise"
          }
        ],
        "category": "vendor",
        "name": "Splunk"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20300",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T045096",
          "T045088"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20300"
    },
    {
      "cve": "CVE-2025-20319",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T045096",
          "T045088"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20319"
    },
    {
      "cve": "CVE-2025-20320",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T045105",
          "T045107",
          "T045106",
          "T045097",
          "T045096",
          "T045088",
          "T045099",
          "T045098",
          "T045101",
          "T045100",
          "T045103"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20320"
    },
    {
      "cve": "CVE-2025-20321",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T045096",
          "T045088",
          "T045101",
          "T045100",
          "T045103"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20321"
    },
    {
      "cve": "CVE-2025-20322",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T045096",
          "T045088",
          "T045101",
          "T045100"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20322"
    },
    {
      "cve": "CVE-2025-20323",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T045096",
          "T045088"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20323"
    },
    {
      "cve": "CVE-2025-20324",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T045096",
          "T045088",
          "T045101",
          "T045100"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20324"
    },
    {
      "cve": "CVE-2025-20325",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T045096",
          "T045088",
          "T045101"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20325"
    }
  ]
}

CVE-2025-20321 (GCVE-0-2025-20321)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-07 18:07

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC. The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.3
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.7
Version: 9.1 < 9.1.10

Version: 9.3.2411 < 9.3.2411.104
Version: 9.3.2408 < 9.3.2408.114
Version: 9.2.2406 < 9.2.2406.119

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0706

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20321",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:07:38.792613Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:07:50.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.114",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:03.146Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0704"
      },
      "title": "Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20321",
    "datePublished": "2025-07-07T17:48:03.146Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:07:50.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20323 (GCVE-0-2025-20323)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-07 18:05

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.

References

►

URL

Tags

Impacted products

	Vendor	Product	Version
	Splunk	Splunk Enterprise	Version: 9.4 < 9.4.3 Version: 9.3 < 9.3.5 Version: 9.2 < 9.2.7 Version: 9.1 < 9.1.10

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0707

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:05:44.719056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:05:58.100Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:03.961Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0706"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0706"
      },
      "title": "Missing Access Control of Saved Searches in the Splunk Archiver app"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20323",
    "datePublished": "2025-07-07T17:48:03.961Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:05:58.100Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20324 (GCVE-0-2025-20324)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-08 13:36

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Summary

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.2
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.7
Version: 9.1 < 9.1.10

Version: 9.3.2411 < 9.3.2411.104
Version: 9.3.2408 < 9.3.2408.113
Version: 9.2.2406 < 9.2.2406.119

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0709

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20324",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:36:47.709223Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:36:57.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.2",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:00.484Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0707"
      },
      "title": "Improper Access Control in System Source Types Configuration in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20324",
    "datePublished": "2025-07-07T17:48:00.484Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:36:57.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20325 (GCVE-0-2025-20325)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-08 13:31

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information.

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.3
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.7
Version: 9.1 < 9.1.10

Splunk Cloud Platform

Version: 9.3.2411 < 9.3.2411.103
Version: 9.3.2408 < 9.3.2408.113
Version: 9.2.2406 < 9.2.2406.119

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0702

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20325",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:31:42.379482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:31:51.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.103",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise\u00a0`SHCConfig`\u00a0log channel at the DEBUG logging level in the clustered deployment. \u003cbr\u003e\u003cbr\u003eThe vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. \u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster)  for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise\u00a0`SHCConfig`\u00a0log channel at the DEBUG logging level in the clustered deployment. \u003cbr\u003e\u003cbr\u003eThe vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. \u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster)  for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:02.265Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0709"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0709"
      },
      "title": "Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20325",
    "datePublished": "2025-07-07T17:48:02.265Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:31:51.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20319 (GCVE-0-2025-20319)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-11 13:30

Severity ?

6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

References

►

URL

Tags

Impacted products

	Vendor	Product	Version
	Splunk	Splunk Enterprise	Version: 9.4 < 9.4.3 Version: 9.3 < 9.3.5 Version: 9.2 < 9.2.7 Version: 9.1 < 9.1.10

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0703

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T03:55:23.191338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-11T13:30:31.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.\u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.\u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:01.283Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0702"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0702"
      },
      "title": "Remote Command Execution through Scripted Input Files in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20319",
    "datePublished": "2025-07-07T17:48:01.283Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-11T13:30:31.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20320 (GCVE-0-2025-20320)

Vulnerability from cvelistv5

Published

2025-07-07 17:47

Modified

2025-07-08 13:37

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE

CWE-35 - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.3
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.7
Version: 9.1 < 9.1.10

Version: 9.3.2411 < 9.3.2411.107
Version: 9.3.2408 < 9.3.2408.117
Version: 9.2.2406 < 9.2.2406.121

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0705

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20320",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:37:10.108433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:37:17.043Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.107",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.117",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.121",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Danylo Dmytriiev (DDV_UA)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \u0027.../...//\u0027 (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:47:59.569Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0703"
      },
      "title": "Denial of Service (DoS) through \u201cUser Interface - Views\u201c configuration page in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20320",
    "datePublished": "2025-07-07T17:47:59.569Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:37:17.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20322 (GCVE-0-2025-20322)

Vulnerability from cvelistv5

Published

2025-07-07 17:48

Modified

2025-07-07 18:04

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS). The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will. See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.3
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.7
Version: 9.1 < 9.1.10

Version: 9.3.2411 < 9.3.2411.104
Version: 9.3.2408 < 9.3.2408.113
Version: 9.2.2406 < 9.2.2406.119

Show details on NVD website

https://advisory.splunk.com/advisories/SVD-2025-0708

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:04:29.197904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:04:40.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:05.482Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0705"
      },
      "title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20322",
    "datePublished": "2025-07-07T17:48:05.482Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:04:40.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20300 (GCVE-0-2025-20300)

Vulnerability from cvelistv5

Published

2025-07-07 17:47

Modified

2025-07-08 13:37

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-863 - The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Summary

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts).

References

►

URL

Tags

Impacted products

Vendor

Product

Version

►

Version: 9.4 < 9.4.2
Version: 9.3 < 9.3.5
Version: 9.2 < 9.2.6
Version: 9.1 < 9.1.9

Splunk Cloud Platform

Version: 9.3.2411 < 9.3.2411.103
Version: 9.3.2408 < 9.3.2408.112
Version: 9.2.2406 < 9.2.2406.119

Show details on NVD website