CVE-2025-20379 | THREATINT

Description

In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

PUBLISHED Reserved 2024-10-10 | Published 2025-11-12 | Updated 2025-11-12 | Assigner cisco

LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Product status

10.0 (custom) before 10.0.1

affected

9.4 (custom) before 9.4.5

affected

9.3 (custom) before 9.3.7

affected

9.2 (custom) before 9.2.9

affected

9.3.2411 (custom) before 9.3.2411.116

affected

9.3.2408 (custom) before 9.3.2408.124

affected

10.0.2503 (custom) before 10.0.2503.5

affected

10.1.2507 (custom) before 10.1.2507.1

affected

Credits

Anton (therceman)

References

advisory.splunk.com/advisories/SVD-2025-1102

cve.org (CVE-2025-20379)

nvd.nist.gov (CVE-2025-20379)

Download JSON