Vulnerabilities > Splunk > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-01 | CVE-2023-32713 | Improper Privilege Management vulnerability in Splunk APP for Stream In Splunk App for Stream versions below 8.1.1, a low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user. | 9.9 |
| 2023-02-23 | CVE-2023-23914 | Cleartext Transmission of Sensitive Information vulnerability in multiple products A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. | 9.1 |
| 2022-12-05 | CVE-2022-32221 | Exposure of Resource to Wrong Sphere vulnerability in multiple products When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. | 9.8 |
| 2022-11-22 | CVE-2022-36227 | NULL Pointer Dereference vulnerability in multiple products In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. | 9.8 |
| 2022-08-16 | CVE-2022-37437 | Improper Certificate Validation vulnerability in Splunk 9.0.0 When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. | 9.8 |
| 2022-07-07 | CVE-2022-32207 | Incorrect Default Permissions vulnerability in multiple products When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. | 9.8 |
| 2022-06-15 | CVE-2022-32151 | Improper Certificate Validation vulnerability in Splunk The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. | 9.1 |
| 2022-06-15 | CVE-2022-32158 | Unspecified vulnerability in Splunk Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. | 10.0 |
| 2021-09-23 | CVE-2021-22945 | Double Free vulnerability in multiple products When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. | 9.1 |
| 2021-06-02 | CVE-2021-3520 | Integer Overflow or Wraparound vulnerability in multiple products There's a flaw in lz4. | 9.8 |