Vulnerabilities > Splunk

DATE CVE VULNERABILITY TITLE RISK
2024-01-30 CVE-2023-46230 Information Exposure Through Log Files vulnerability in Splunk Add-On Builder 4.1.0/4.1.1/4.1.2
In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.
network
low complexity
splunk CWE-532
4.9
2024-01-30 CVE-2023-46231 Information Exposure Through Log Files vulnerability in Splunk Add-On Builder 4.1.0/4.1.1/4.1.2
In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.
network
low complexity
splunk CWE-532
7.2
2024-01-22 CVE-2024-23675 Incorrect Authorization vulnerability in Splunk Cloud and Splunk
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API).
network
low complexity
splunk CWE-863
6.5
2024-01-22 CVE-2024-23676 Unspecified vulnerability in Splunk Cloud and Splunk
In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view.
network
low complexity
splunk
3.5
2024-01-22 CVE-2024-23677 Information Exposure Through Log Files vulnerability in Splunk Cloud and Splunk
In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses from external applications in a log file.
network
low complexity
splunk CWE-532
5.3
2024-01-22 CVE-2024-23678 Unspecified vulnerability in Splunk
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data.
local
low complexity
splunk
8.8
2024-01-09 CVE-2024-22164 Allocation of Resources Without Limits or Throttling vulnerability in Splunk Enterprise Security 7.1.0/7.1.1
In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation.
network
low complexity
splunk CWE-770
4.3
2024-01-09 CVE-2024-22165 Unspecified vulnerability in Splunk Enterprise Security 7.1.0/7.1.1
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS).
network
low complexity
splunk
6.5
2023-11-16 CVE-2023-46213 Cross-site Scripting vulnerability in Splunk Cloud and Splunk
In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.
network
low complexity
splunk CWE-79
4.8
2023-11-16 CVE-2023-46214 XML Injection (aka Blind XPath Injection) vulnerability in Splunk Cloud and Splunk
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply.
network
low complexity
splunk CWE-91
8.8