CVE-2025-20321Cross-Site Request Forgery in Enterprise

CWE-352Cross-Site Request ForgeryCWE-362Race Condition4 documents4 sources
Severity
4.3MEDIUMNVD
CNA6.5
EPSS
0.0%
top 88.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Splunk EnterpriseSplunk Enterprise CloudSplunk+1 more
Timeline
PublishedJul 7

Description

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.The vulnerability requires the attacker to phish the administrator-level victim by

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDsplunk/splunk_cloud_platform9.2.24069.2.2406.119+2
CVEListV5splunk/splunk_enterprise_cloud9.3.24119.3.2411.104+2
CVEListV5splunk/splunk_enterprise9.49.4.3+3
NVDsplunk/splunk9.1.09.1.10+3

🔴Vulnerability Details

2
CVEList
Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery (CSRF) in Splunk Enterprise2025-07-07
GHSA
GHSA-v5r8-cj77-2qp9: In Splunk Enterprise versions below 92025-07-07

📋Vendor Advisories

1
Microsoft
A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system2022-02-08
CVE-2025-20321 — Cross-Site Request Forgery in Splunk | cvebase