cbcvebase.
CVE-2024-36985
published 2024-07-01

CVE-2024-36985: In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.52%
92.9th percentile
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the “splunk_archiver“ application.

Affected

6 ranges
VendorProductVersion rangeFixed in
splunksplunk>= 9.0.0 < 9.0.109.0.10
splunksplunk>= 9.1.0 < 9.1.59.1.5
splunksplunk>= 9.2.0 < 9.2.29.2.2
splunksplunk_enterprise>= 9.0 < 9.0.109.0.10
splunksplunk_enterprise>= 9.1 < 9.1.59.1.5
splunksplunk_enterprise>= 9.2 < 9.2.29.2.2

Detection & IOCsextracted from sources · hover to see the quote

command| copybuckets
processsudobash
  • Monitor for low-privileged Splunk users invoking the '| copybuckets' SPL command, which is associated with the splunk_archiver application and should not be used by non-admin/non-power roles.
  • Alert on unexpected execution of the 'sudobash' helper script on Splunk Enterprise hosts, especially when invoked with externally-supplied arguments.
  • ·Exploitation requires authentication; the attacker must hold a valid (but low-privileged) Splunk account — not admin or power role.
  • ·Affected version ranges are: any release prior to 9.0.10, versions 9.1.2 through 9.1.5, and versions 9.2.0 through 9.2.2. Instances already on 9.0.10+, 9.1.5+, or 9.2.2+ are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.