Vulnerabilities > Splunk > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-05 | CVE-2019-3800 | Information Exposure vulnerability in multiple products CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. | 7.8 |
| 2019-03-21 | CVE-2019-5729 | Improper Certificate Validation vulnerability in Splunk Software Development KIT Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks. | 8.1 |
| 2018-10-23 | CVE-2018-7432 | Improper Input Validation vulnerability in Splunk Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allow remote attackers to cause a denial of service via a crafted HTTP request. | 7.5 |
| 2018-10-23 | CVE-2018-7429 | Improper Input Validation vulnerability in Splunk Splunkd in Splunk Enterprise 6.2.x before 6.2.14 6.3.x before 6.3.11, and 6.4.x before 6.4.8; and Splunk Light before 6.5.0 allow remote attackers to cause a denial of service via a malformed HTTP request. | 7.5 |
| 2018-10-19 | CVE-2017-18348 | Incorrect Permission Assignment for Critical Resource vulnerability in Splunk Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access. | 7.0 |
| 2017-04-06 | CVE-2017-7565 | Path Traversal vulnerability in Splunk Hadoop Connect Splunk Hadoop Connect App has a path traversal vulnerability that allows remote authenticated users to execute arbitrary code, aka ERP-2041. | 8.8 |
| 2014-04-07 | CVE-2014-0160 | Out-of-bounds Read vulnerability in multiple products The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | 7.5 |
| 2010-09-14 | CVE-2010-3322 | XXE vulnerability in Splunk The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors. | 8.8 |