Splunk RCE Vulnerability Let Attackers Execute Arbitrary Code Via File Upload
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Splunk has released patches to address a high-severity Remote Code Execution (RCE) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. The vulnerability, identified as CVE-2025-20229, could allow a low-privileged user to execute arbitrary code by uploading malicious files.
The vulnerability exists in Splunk Enterprise versions before 9.3.3, 9.2.5, and 9.1.8, as well as Splunk Cloud Platform versions before 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208.
According to Splunk’s advisory, a low-privileged user without “admin” or “power” roles could exploit the vulnerability. This is achieved through uploading a file to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory, bypassing necessary authorization checks.
Splunk has assigned a CVSSv3.1 score of 8.0, marking it as a high-severity issue with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
To remediate the vulnerability, Splunk recommends upgrading Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or later. For Splunk Cloud Platform users, Splunk is actively monitoring and patching instances.
Vulnerability in Splunk Secure Gateway App
In addition to the RCE vulnerability, Splunk disclosed a separate high-severity vulnerability affecting the Splunk Secure Gateway app.
This vulnerability, identified as CVE-2025-20231, could allow a low-privileged user to search using the permissions of a higher-privileged user, potentially leading to sensitive information disclosure.
ProductAffected VersionsFixed VersionsSplunk Enterprise9.3.0-9.3.2, 9.2.0-9.2.4, 9.1.0-9.1.79.3.3, 9.2.5, 9.1.8, 9.4.0Splunk Cloud Platform9.3.2408.100-9.3.2408.103, 9.2.2406.100-9.2.2406.107, Below 9.2.2403.113, Below 9.1.2312.2079.3.2408.104, 9.2.2406.108, 9.2.2403.114, 9.1.2312.208Splunk Secure Gateway AppBelow 3.8.38, Below 3.7.233.8.38, 3.7.23
The vulnerability impacts Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Secure Gateway app versions below 3.8.38 and 3.7.23 on Splunk Cloud Platform.
The Splunk Secure Gateway exposes user session and authorization tokens in clear text within the splunk_secure_gateway.log file when calling the /services/ssg/secrets REST endpoint.
Successful exploitation requires an attacker to trick a victim into initiating a request within their browser. Splunk has rated this vulnerability as high severity, with a CVSSv3.1 score of 7.1 and a vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.
To address this issue, Splunk advises upgrading Splunk Enterprise to versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8 or later. Splunk is also actively patching Splunk Cloud Platform instances.
Users can disable the Splunk Secure Gateway App as a workaround, though this may impact functionality for Splunk Mobile, Spacebridge, and Mission Control users.
Splunk encourages customers to stay informed about security updates and apply patches promptly to protect their systems from potential exploits.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Splunk RCE Vulnerability Let Attackers Execute Arbitrary Code Via File Upload
Author: Guru BaranSplunk has released patches to address a high-severity Remote Code Execution (RCE) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. The vulnerability, identified as CVE-2025-20229, could allow a low-privileged user to execute arbitrary code by uploading malicious files.
The vulnerability exists in Splunk Enterprise versions before 9.3.3, 9.2.5, and 9.1.8, as well as Splunk Cloud Platform versions before 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208.
According to Splunk’s advisory, a low-privileged user without “admin” or “power” roles could exploit the vulnerability. This is achieved through uploading a file to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory, bypassing necessary authorization checks.
Splunk has assigned a CVSSv3.1 score of 8.0, marking it as a high-severity issue with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
To remediate the vulnerability, Splunk recommends upgrading Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or later. For Splunk Cloud Platform users, Splunk is actively monitoring and patching instances.
Vulnerability in Splunk Secure Gateway App
In addition to the RCE vulnerability, Splunk disclosed a separate high-severity vulnerability affecting the Splunk Secure Gateway app.
This vulnerability, identified as CVE-2025-20231, could allow a low-privileged user to search using the permissions of a higher-privileged user, potentially leading to sensitive information disclosure.
ProductAffected VersionsFixed VersionsSplunk Enterprise9.3.0-9.3.2, 9.2.0-9.2.4, 9.1.0-9.1.79.3.3, 9.2.5, 9.1.8, 9.4.0Splunk Cloud Platform9.3.2408.100-9.3.2408.103, 9.2.2406.100-9.2.2406.107, Below 9.2.2403.113, Below 9.1.2312.2079.3.2408.104, 9.2.2406.108, 9.2.2403.114, 9.1.2312.208Splunk Secure Gateway AppBelow 3.8.38, Below 3.7.233.8.38, 3.7.23
The vulnerability impacts Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Secure Gateway app versions below 3.8.38 and 3.7.23 on Splunk Cloud Platform.
The Splunk Secure Gateway exposes user session and authorization tokens in clear text within the splunk_secure_gateway.log file when calling the /services/ssg/secrets REST endpoint.
Successful exploitation requires an attacker to trick a victim into initiating a request within their browser. Splunk has rated this vulnerability as high severity, with a CVSSv3.1 score of 7.1 and a vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.
To address this issue, Splunk advises upgrading Splunk Enterprise to versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8 or later. Splunk is also actively patching Splunk Cloud Platform instances.
Users can disable the Splunk Secure Gateway App as a workaround, though this may impact functionality for Splunk Mobile, Spacebridge, and Mission Control users.
Splunk encourages customers to stay informed about security updates and apply patches promptly to protect their systems from potential exploits.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
