CVE-2025-20324

CWE-284Improper Access Control3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 82.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Splunk Splunk EnterpriseSplunk Splunk Enterprise CloudSplunk Splunk+1 more
Timeline
PublishedJul 7

Description

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetype

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

CVEListV5splunk/splunk_enterprise_cloud9.3.24119.3.2411.104+2
CVEListV5splunk/splunk_enterprise9.49.4.2+3
NVDsplunk/splunk_cloud_platform9.2.24069.2.2406.119+2
NVDsplunk/splunk9.1.09.1.10+3

🔴Vulnerability Details

2
CVEList
Improper Access Control in System Source Types Configuration in Splunk Enterprise2025-07-07
GHSA
GHSA-gw68-m2h3-q75j: In Splunk Enterprise versions below 92025-07-07