Vulnerability-Lookup

WID-SEC-W-2025-1473

Vulnerability from csaf_certbund - Published: 2025-07-07 22:00 - Updated: 2025-09-30 22:00

Summary

Splunk Enterprise und Cloud-Plattform: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Splunk Enterprise und Cloud Platform ausnutzen, um Dateien zu manipulieren, beliebigen Code auszuführen, einen Denial-of-Service-Zustand zu verursachen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2025-20300

CVE-2025-20319

CVE-2025-20320

CVE-2025-20321

CVE-2025-20322

CVE-2025-20323

CVE-2025-20324

CVE-2025-20325

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://advisory.splunk.com//advisories/SVD-2025-0702	external
	https://advisory.splunk.com//advisories/SVD-2025-0703	external
	https://advisory.splunk.com//advisories/SVD-2025-0704	external
	https://advisory.splunk.com//advisories/SVD-2025-0705	external
	https://advisory.splunk.com//advisories/SVD-2025-0706	external
	https://advisory.splunk.com//advisories/SVD-2025-0707	external
	https://advisory.splunk.com//advisories/SVD-2025-0708	external
	https://advisory.splunk.com//advisories/SVD-2025-0709	external
	https://www.absolute.com/platform/security-inform…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Splunk Enterprise erm\u00f6glicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Splunk Enterprise und Cloud Platform ausnutzen, um Dateien zu manipulieren, beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu verursachen und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1473 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1473.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1473 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1473"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0702"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0703"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0704"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0705"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0706"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0707"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0708"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2025-07-07",
        "url": "https://advisory.splunk.com//advisories/SVD-2025-0709"
      },
      {
        "category": "external",
        "summary": "Absolute Security Information vom 2025-09-30",
        "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1410"
      }
    ],
    "source_lang": "en-US",
    "title": "Splunk Enterprise und Cloud-Plattform: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-09-30T22:00:00.000+00:00",
      "generator": {
        "date": "2025-10-01T06:46:24.246+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1473",
      "initial_release_date": "2025-07-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-09-30T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Server \u003c14.10",
                "product": {
                  "name": "Absolute Secure Access Server \u003c14.10",
                  "product_id": "T047275"
                }
              },
              {
                "category": "product_version",
                "name": "Server 14.10",
                "product": {
                  "name": "Absolute Secure Access Server 14.10",
                  "product_id": "T047275-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:absolute:secure_access:server__14.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Insights \u003c4.30",
                "product": {
                  "name": "Absolute Secure Access Insights \u003c4.30",
                  "product_id": "T047276"
                }
              },
              {
                "category": "product_version",
                "name": "Insights 4.30",
                "product": {
                  "name": "Absolute Secure Access Insights 4.30",
                  "product_id": "T047276-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:absolute:secure_access:insights__4.30"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Secure Access"
          }
        ],
        "category": "vendor",
        "name": "Absolute"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.2.7",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.2.7",
                  "product_id": "T045088"
                }
              },
              {
                "category": "product_version",
                "name": "9.2.7",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.2.7",
                  "product_id": "T045088-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.2.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.4.3",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.4.3",
                  "product_id": "T045094"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.3",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.4.3",
                  "product_id": "T045094-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.3.5",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.3.5",
                  "product_id": "T045095"
                }
              },
              {
                "category": "product_version",
                "name": "9.3.5",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.3.5",
                  "product_id": "T045095-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.3.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.1.10",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.1.10",
                  "product_id": "T045096"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.10",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.1.10",
                  "product_id": "T045096-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.1.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.107",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.107",
                  "product_id": "T045097"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.107",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.107",
                  "product_id": "T045097-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.107"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.117",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.117",
                  "product_id": "T045098"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.117",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.117",
                  "product_id": "T045098-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.117"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.2.2406.121",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.2.2406.121",
                  "product_id": "T045099"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.2.2406.121",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.2.2406.121",
                  "product_id": "T045099-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.2.2406.121"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.104",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.104",
                  "product_id": "T045100"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.104",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.104",
                  "product_id": "T045100-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.104"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.113",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.113",
                  "product_id": "T045101"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.113",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.113",
                  "product_id": "T045101-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.113"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.114",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.114",
                  "product_id": "T045103"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.114",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.114",
                  "product_id": "T045103-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.114"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2411.103",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2411.103",
                  "product_id": "T045105"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2411.103",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2411.103",
                  "product_id": "T045105-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2411.103"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.3.2408.112",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.3.2408.112",
                  "product_id": "T045106"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.3.2408.112",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.3.2408.112",
                  "product_id": "T045106-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.3.2408.112"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Cloud \u003c9.2.2406.119",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud \u003c9.2.2406.119",
                  "product_id": "T045107"
                }
              },
              {
                "category": "product_version",
                "name": "Cloud 9.2.2406.119",
                "product": {
                  "name": "Splunk Splunk Enterprise Cloud 9.2.2406.119",
                  "product_id": "T045107-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:cloud__9.2.2406.119"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Splunk Enterprise"
          }
        ],
        "category": "vendor",
        "name": "Splunk"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20300",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20300"
    },
    {
      "cve": "CVE-2025-20319",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20319"
    },
    {
      "cve": "CVE-2025-20320",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T045105",
          "T045107",
          "T045106",
          "T045097",
          "T047276",
          "T045096",
          "T045088",
          "T045099",
          "T045098",
          "T047275",
          "T045101",
          "T045100",
          "T045103"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20320"
    },
    {
      "cve": "CVE-2025-20321",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275",
          "T045101",
          "T045100",
          "T045103"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20321"
    },
    {
      "cve": "CVE-2025-20322",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275",
          "T045101",
          "T045100"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20322"
    },
    {
      "cve": "CVE-2025-20323",
      "product_status": {
        "known_affected": [
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20323"
    },
    {
      "cve": "CVE-2025-20324",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275",
          "T045101",
          "T045100"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20324"
    },
    {
      "cve": "CVE-2025-20325",
      "product_status": {
        "known_affected": [
          "T045105",
          "T045107",
          "T045106",
          "T045095",
          "T045094",
          "T047276",
          "T045096",
          "T045088",
          "T047275",
          "T045101"
        ]
      },
      "release_date": "2025-07-07T22:00:00.000+00:00",
      "title": "CVE-2025-20325"
    }
  ]
}

CVE-2025-20300 (GCVE-0-2025-20300)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:47 – Updated: 2025-07-08 13:37

Title

Improper Access Control Lets Low-Privilege Users Suppress Read-Only Alerts in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts).

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-863 - The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0708

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.2 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.6 (custom)
Affected: 9.1 , < 9.1.9 (custom)

Splunk

Splunk Cloud Platform

Affected: 9.3.2411 , < 9.3.2411.103 (custom)
Affected: 9.3.2408 , < 9.3.2408.112 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Date Public ?

2025-07-07 00:00

Credits

Anton (therceman)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20300",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:37:31.112880Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:37:50.544Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.2",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.6",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.9",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.103",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.112",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts)."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:47:58.250Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0708"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0708"
      },
      "title": "Improper Access Control Lets Low-Privilege Users Suppress Read-Only Alerts in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20300",
    "datePublished": "2025-07-07T17:47:58.250Z",
    "dateReserved": "2024-10-10T19:15:13.252Z",
    "dateUpdated": "2025-07-08T13:37:50.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20324 (GCVE-0-2025-20324)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-08 13:36

Title

Improper Access Control in System Source Types Configuration in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0707

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.2 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Enterprise Cloud

Affected: 9.3.2411 , < 9.3.2411.104 (custom)
Affected: 9.3.2408 , < 9.3.2408.113 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Date Public ?

2025-07-07 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20324",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:36:47.709223Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:36:57.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.2",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:00.484Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0707"
      },
      "title": "Improper Access Control in System Source Types Configuration in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20324",
    "datePublished": "2025-07-07T17:48:00.484Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:36:57.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20323 (GCVE-0-2025-20323)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:05

Title

Missing Access Control of Saved Searches in the Splunk Archiver app

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0706

Impacted products

	Vendor	Product	Version
	Splunk	Splunk Enterprise	Affected: 9.4 , < 9.4.3 (custom) Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom)

Date Public ?

2025-07-07 00:00

Credits

Anton (therceman)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:05:44.719056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:05:58.100Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:03.961Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0706"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0706"
      },
      "title": "Missing Access Control of Saved Searches in the Splunk Archiver app"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20323",
    "datePublished": "2025-07-07T17:48:03.961Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:05:58.100Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20322 (GCVE-0-2025-20322)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:04

Title

Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS). The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will. See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0705

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.3 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Enterprise Cloud

Affected: 9.3.2411 , < 9.3.2411.104 (custom)
Affected: 9.3.2408 , < 9.3.2408.113 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Date Public ?

2025-07-07 00:00

Credits

Anton (therceman)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:04:29.197904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:04:40.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:05.482Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0705"
      },
      "title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20322",
    "datePublished": "2025-07-07T17:48:05.482Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:04:40.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20320 (GCVE-0-2025-20320)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:47 – Updated: 2025-07-08 13:37

Title

Denial of Service (DoS) through “User Interface - Views“ configuration page in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE

CWE-35 - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0703

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.3 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Enterprise Cloud

Affected: 9.3.2411 , < 9.3.2411.107 (custom)
Affected: 9.3.2408 , < 9.3.2408.117 (custom)
Affected: 9.2.2406 , < 9.2.2406.121 (custom)

Date Public ?

2025-07-07 00:00

Credits

Danylo Dmytriiev (DDV_UA)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20320",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:37:10.108433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:37:17.043Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.107",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.117",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.121",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Danylo Dmytriiev (DDV_UA)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \u0027.../...//\u0027 (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:47:59.569Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0703"
      },
      "title": "Denial of Service (DoS) through \u201cUser Interface - Views\u201c configuration page in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20320",
    "datePublished": "2025-07-07T17:47:59.569Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:37:17.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20319 (GCVE-0-2025-20319)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2026-02-26 18:27

Title

Remote Command Execution through Scripted Input Files in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0702

Impacted products

	Vendor	Product	Version
	Splunk	Splunk Enterprise	Affected: 9.4 , < 9.4.3 (custom) Affected: 9.3 , < 9.3.5 (custom) Affected: 9.2 , < 9.2.7 (custom) Affected: 9.1 , < 9.1.10 (custom)

Date Public ?

2025-07-07 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T03:55:23.191338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T18:27:54.075Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.\u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.\u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:01.283Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0702"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0702"
      },
      "title": "Remote Command Execution through Scripted Input Files in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20319",
    "datePublished": "2025-07-07T17:48:01.283Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2026-02-26T18:27:54.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-20325 (GCVE-0-2025-20325)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-08 13:31

Title

Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information.

Severity ?

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0709

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.3 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Cloud Platform

Affected: 9.3.2411 , < 9.3.2411.103 (custom)
Affected: 9.3.2408 , < 9.3.2408.113 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Date Public ?

2025-07-07 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20325",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T13:31:42.379482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T13:31:51.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.103",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.113",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise\u00a0`SHCConfig`\u00a0log channel at the DEBUG logging level in the clustered deployment. \u003cbr\u003e\u003cbr\u003eThe vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. \u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster)  for more information."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise\u00a0`SHCConfig`\u00a0log channel at the DEBUG logging level in the clustered deployment. \u003cbr\u003e\u003cbr\u003eThe vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. \u003cbr\u003e\u003cbr\u003eSee [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster)  for more information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:02.265Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0709"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0709"
      },
      "title": "Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20325",
    "datePublished": "2025-07-07T17:48:02.265Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-08T13:31:51.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-20321 (GCVE-0-2025-20321)

Vulnerability from cvelistv5 – Published: 2025-07-07 17:48 – Updated: 2025-07-07 18:07

Title

Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise

Summary

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC. The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-352 - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigner

cisco

References

URL

Tags

https://advisory.splunk.com/advisories/SVD-2025-0704

Impacted products

Vendor

Product

Version

Splunk

Splunk Enterprise

Affected: 9.4 , < 9.4.3 (custom)
Affected: 9.3 , < 9.3.5 (custom)
Affected: 9.2 , < 9.2.7 (custom)
Affected: 9.1 , < 9.1.10 (custom)

Splunk

Splunk Enterprise Cloud

Affected: 9.3.2411 , < 9.3.2411.104 (custom)
Affected: 9.3.2408 , < 9.3.2408.114 (custom)
Affected: 9.2.2406 , < 9.2.2406.119 (custom)

Date Public ?

2025-07-07 00:00

Credits

Anton (therceman)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20321",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T18:07:38.792613Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T18:07:50.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.5",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.7",
              "status": "affected",
              "version": "9.2",
              "versionType": "custom"
            },
            {
              "lessThan": "9.1.10",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Enterprise Cloud",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "9.3.2411.104",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2408.114",
              "status": "affected",
              "version": "9.3.2408",
              "versionType": "custom"
            },
            {
              "lessThan": "9.2.2406.119",
              "status": "affected",
              "version": "9.2.2406",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anton (therceman)"
        }
      ],
      "datePublic": "2025-07-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:48:03.146Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
        }
      ],
      "source": {
        "advisory": "SVD-2025-0704"
      },
      "title": "Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20321",
    "datePublished": "2025-07-07T17:48:03.146Z",
    "dateReserved": "2024-10-10T19:15:13.254Z",
    "dateUpdated": "2025-07-07T18:07:50.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1473

CVE-2025-20300 (GCVE-0-2025-20300)

CVE-2025-20324 (GCVE-0-2025-20324)

CVE-2025-20323 (GCVE-0-2025-20323)

CVE-2025-20322 (GCVE-0-2025-20322)

CVE-2025-20320 (GCVE-0-2025-20320)

CVE-2025-20319 (GCVE-0-2025-20319)

CVE-2025-20325 (GCVE-0-2025-20325)

CVE-2025-20321 (GCVE-0-2025-20321)

Tags

Sightings

Nomenclature