All the vulnerabilites related to Splunk - Splunk Enterprise Cloud
cve-2025-20320
Vulnerability from cvelistv5
Published
2025-07-07 17:47
Modified
2025-07-08 13:37
Severity ?
EPSS score ?
Summary
Denial of Service (DoS) through “User Interface - Views“ configuration page in Splunk Enterprise
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Splunk | Splunk Enterprise | |
| Splunk | Splunk Enterprise Cloud |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:37:10.108433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:37:17.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.107",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.117",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.121",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \u0027.../...//\u0027 (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:47:59.569Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
}
],
"source": {
"advisory": "SVD-2025-0703"
},
"title": "Denial of Service (DoS) through \u201cUser Interface - Views\u201c configuration page in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20320",
"datePublished": "2025-07-07T17:47:59.569Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:37:17.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-20321
Vulnerability from cvelistv5
Published
2025-07-07 17:48
Modified
2025-07-07 18:07
Severity ?
EPSS score ?
Summary
Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Splunk | Splunk Enterprise | |
| Splunk | Splunk Enterprise Cloud |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:07:38.792613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:07:50.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.114",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:03.146Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
}
],
"source": {
"advisory": "SVD-2025-0704"
},
"title": "Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20321",
"datePublished": "2025-07-07T17:48:03.146Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:07:50.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-20322
Vulnerability from cvelistv5
Published
2025-07-07 17:48
Modified
2025-07-07 18:04
Severity ?
EPSS score ?
Summary
Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Splunk | Splunk Enterprise | |
| Splunk | Splunk Enterprise Cloud |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T18:04:29.197904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T18:04:40.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"value": "In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.\u003cbr\u003e\u003cbr\u003eSee [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:05.482Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
}
],
"source": {
"advisory": "SVD-2025-0705"
},
"title": "Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20322",
"datePublished": "2025-07-07T17:48:05.482Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-07T18:04:40.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-20324
Vulnerability from cvelistv5
Published
2025-07-07 17:48
Modified
2025-07-08 13:36
Severity ?
EPSS score ?
Summary
Improper Access Control in System Source Types Configuration in Splunk Enterprise
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Splunk | Splunk Enterprise | |
| Splunk | Splunk Enterprise Cloud |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:36:47.709223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:36:57.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.4.2",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.7",
"status": "affected",
"version": "9.2",
"versionType": "custom"
},
{
"lessThan": "9.1.10",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Splunk Enterprise Cloud",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.104",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.113",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.119",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"value": "In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:48:00.484Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
}
],
"source": {
"advisory": "SVD-2025-0707"
},
"title": "Improper Access Control in System Source Types Configuration in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20324",
"datePublished": "2025-07-07T17:48:00.484Z",
"dateReserved": "2024-10-10T19:15:13.254Z",
"dateUpdated": "2025-07-08T13:36:57.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}