Vulnerabilities > Splunk > Splunk Cloud Platform
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-14 | CVE-2023-22936 | Server-Side Request Forgery (SSRF) vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. | 6.3 |
| 2023-02-14 | CVE-2023-22937 | Unrestricted Upload of File with Dangerous Type vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. | 4.3 |
| 2023-02-14 | CVE-2023-22938 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. | 4.3 |
| 2023-02-14 | CVE-2023-22939 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands. | 8.8 |
| 2023-02-14 | CVE-2023-22940 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. | 5.7 |
| 2023-02-14 | CVE-2023-22941 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd). | 7.5 |
| 2022-11-04 | CVE-2022-43562 | Injection vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning. | 5.4 |
| 2022-11-04 | CVE-2022-43563 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . | 8.8 |
| 2022-11-04 | CVE-2022-43564 | Resource Exhaustion vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros. | 6.5 |
| 2022-11-04 | CVE-2022-43565 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . | 8.8 |