Splunk: Updates close security gaps in several products

Splunk has reported a number of security vulnerabilities in several products. Updated software packages are available for download, which admins can use to plug these security leaks.

The most serious gap is apparently in Splunk Enterprise. It allows attackers from the network to infiltrate and execute malicious code. Apparently a login is required, but no elevated rights of the roles "admin" or "power" (CVE-2025-20229, CVSS 8.0, risk "high"). The update to Splunk Enterprise 9.4.0, 9.3.3, 9.2.5, 9.1.8 or newer fixes the bug, for the cloud platform Splunk takes care of monitoring and applying the patches.

Splunk: High-risk gaps

Sensitive information can also be leaked due to a vulnerability in the Splunk Secure Gateway. Users with restricted rights can then start a search with elevated rights and thus gain unauthorized access to information. When calling a REST endpoint, user session and authorization tokens can end up in plain text in the "splunk_secure_gateway.log". Attackers can exploit this by tricking a victim into starting a request in their web browser and thus "phishing" the data. These gaps are closed by Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, 9.1.8 and newer.

The Splunk developers are also classifying some gaps in third-party components that are delivered with Splunk software. These include Splunk App for Data Science and Deep Learning, Splunk DB Connect, Splunk Infrastructure Monitoring Add-on and Splunk Enterprise. Splunk also warns of other vulnerabilities with a medium or low threat level and provides updates to fix the problems.

The individual security notifications are sorted by severity of the vulnerabilities in descending order:

• Remote Code Execution through file upload to "$SPLUNK_HOME/var/run/splunk/apptemp" directory in Splunk Enterprise CVE-2025-20229, CVSS 8.0, risk "high"
• Sensitive Information Disclosure in Splunk Secure Gateway App CVE-2025-20231, CVSS 7.1, risk "high"
• Third-party package updates in Splunk Enterprise Multiple CVEs, risk "high"
• Third-party package updates in Splunk App for Data Science and Deep Learning Multiple CVEs, risk "high"
• Third-party package updates in Splunk DB Connect Multiple CVEs, risk "high"
• Third-party package updates in Splunk Infrastructure Monitoring Add-on CVE-2024-39338, no own CVSS, risk "high"
• Third-party package updates in Splunk Add-on for Microsoft Cloud Services Multiple CVEs, risk "medium"
• Maintenance mode state change of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise CVE-2025-20228, CVSS 6.5, risk "medium"
• Risky command safeguards bypass in "/app/search/search" endpoint through "s" parameter in Splunk Enterprise CVE-2025-20232, CVSS 5.7, risk "medium"
• Risky command safeguards bypass in "/services/streams/search" endpoint through "q" parameter in Splunk Enterprise CVE-2025-20226, CVSS 5.7, risk "medium"
• Information Disclosure through external content warning modal dialog box bypass in Splunk Enterprise Dashboard Studio CVE-2025-20227, CVSS 4.3, risk "medium"
• Missing Access Control and Incorrect Ownership of Data in App Key Value Store (KVStore) collections in the Splunk Secure Gateway App CVE-2025-20230, CVSS 4.3, risk "medium"
• Incorrect permissions set by the "chmod" and "makedirs" Python functions in Splunk App for Lookup File Editing CVE-2025-20233, CVSS 2.5, Risk "low"

Cisco acquired Splunk a year ago. Shortly afterwards, the developers began linking the Splunk functions with the Cisco software. One of the first software integrations involved Cisco's AppDynamics.

(dmk)