CVE-2025-20232 | THREATINT

Description

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208 and 9.1.2308.212, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the “/app/search/search“ endpoint through its “s“ parameter. <br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

Reserved 2024-10-10 | Published 2025-03-26 | Updated 2025-03-27 | Assigner cisco

MEDIUM: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Product status

9.3 before 9.3.3

affected

9.2 before 9.2.5

affected

9.1 before 9.1.8

affected

9.3.2408 before 9.3.2408.103

affected

9.2.2406 before 9.2.2406.108

affected

9.2.2403 before 9.2.2403.113

affected

9.1.2312 before 9.1.2312.208

affected

9.1.2308 before 9.1.2308.212

affected

Credits

Anton (therceman)

References

advisory.splunk.com/advisories/SVD-2025-0304

cve.org (CVE-2025-20232)

nvd.nist.gov (CVE-2025-20232)

Download JSON