Home

Description

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its "q" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

PUBLISHED Reserved 2024-10-10 | Published 2025-03-26 | Updated 2025-03-27 | Assigner cisco




MEDIUM: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Product status

9.4 (custom) before 9.4.1
affected

9.3 (custom) before 9.3.3
affected

9.2 (custom) before 9.2.5
affected

9.1 (custom) before 9.1.8
affected

9.3.2408 (custom) before 9.3.2408.107
affected

9.2.2406 (custom) before 9.2.2406.111
affected

9.1.2308 (custom) before 9.1.2308.214
affected

Credits

Anton (therceman)

References

advisory.splunk.com/advisories/SVD-2025-0305

cve.org (CVE-2025-20226)

nvd.nist.gov (CVE-2025-20226)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.