CVE-2024-36985
published 2024-07-01CVE-2024-36985: In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.52%
92.9th percentile
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the “splunk_archiver“ application.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 9.0.0 < 9.0.10 | 9.0.10 |
| splunk | splunk | >= 9.1.0 < 9.1.5 | 9.1.5 |
| splunk | splunk | >= 9.2.0 < 9.2.2 | 9.2.2 |
| splunk | splunk_enterprise | >= 9.0 < 9.0.10 | 9.0.10 |
| splunk | splunk_enterprise | >= 9.1 < 9.1.5 | 9.1.5 |
| splunk | splunk_enterprise | >= 9.2 < 9.2.2 | 9.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for low-privileged Splunk users invoking the '| copybuckets' SPL command, which is associated with the splunk_archiver application and should not be used by non-admin/non-power roles. ↗
- →Alert on unexpected execution of the 'sudobash' helper script on Splunk Enterprise hosts, especially when invoked with externally-supplied arguments. ↗
- ·Exploitation requires authentication; the attacker must hold a valid (but low-privileged) Splunk account — not admin or power role. ↗
- ·Affected version ranges are: any release prior to 9.0.10, versions 9.1.2 through 9.1.5, and versions 9.2.0 through 9.2.2. Instances already on 9.0.10+, 9.1.5+, or 9.2.2+ are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-07-01
Published