CVE-2024-36991
published 2024-07-01CVE-2024-36991: In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.11%
95.9th percentile
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 9.0.0 < 9.0.10 | 9.0.10 |
| splunk | splunk | >= 9.1.0 < 9.1.5 | 9.1.5 |
| splunk | splunk | >= 9.2.0 < 9.2.2 | 9.2.2 |
| splunk | splunk_enterprise | >= 9.0 < 9.0.10 | 9.0.10 |
| splunk | splunk_enterprise | >= 9.1 < 9.1.5 | 9.1.5 |
| splunk | splunk_enterprise | >= 9.2 < 9.2.2 | 9.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- ·This vulnerability is Windows-only. Splunk Enterprise on Linux/macOS is not affected. ↗
- ·The exploit is unauthenticated — no session or credentials are required to trigger the path traversal on the /modules/messaging/ endpoint.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fg59-j242-rcj9: In Splunk Enterprise on Windows versions below 9
ghsa_unreviewed·2024-07-01
CVE-2024-36991 [HIGH] CWE-22 GHSA-fg59-j242-rcj9: In Splunk Enterprise on Windows versions below 9
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
VulnCheck
splunk splunk Path Traversal: '.../...//'
vulncheck·2024·CVSS 7.5
CVE-2024-36991 [HIGH] splunk splunk Path Traversal: '.../...//'
splunk splunk Path Traversal: '.../...//'
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Affected: splunk splunk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-03&host_type=src&vulnerability=cve-2024-36991; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-22&host_type=src&vulnerability=cve-2024-36991; https://dashboard.shadowserver
Suricata
ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991)
suricata·2024-07-09·CVSS 7.5
CVE-2024-36991 [HIGH] ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991)
ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991)"; flow:established,to_server; http.uri; content:"/modules/messaging"; fast_pattern; pcre:"/^\/([A-Z]:\.(\.?(\/\/?|\\\\?))){2,}/Ri"; reference:cve,2024-36991; classtype:attempted-admin; sid:2054410; rev:1; metadata:affected_product Splunk, created_at 2024_07_09, cve CVE_2024_36991, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_09, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; tar
Nuclei
Splunk Enterprise - Local File Inclusion
nuclei·CVSS 7.5
CVE-2024-36991 [HIGH] Splunk Enterprise - Local File Inclusion
Splunk Enterprise - Local File Inclusion
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Template:
id: CVE-2024-36991
info:
name: Splunk Enterprise - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
impact: |
Attackers can perform path traversal to access sensitive filesystem locations on Splunk Enterprise for Wind
No writeups or analysis indexed.
2024-07-01
Published
Exploited in the wild