Splunk Enterprise vulnerabilities
149 known vulnerabilities affecting splunk/splunk_enterprise.
Total CVEs
149
CISA KEV
1
actively exploited
Public exploits
6
Exploited in wild
2
Severity breakdown
CRITICAL2HIGH45MEDIUM95LOW7
Vulnerabilities
Page 7 of 8
CVE-2023-22932P4MEDIUMCVSS 6.1≥ 9.0, < 9.0.42023-02-14
CVE-2023-22932 [MEDIUM] CWE-79 CVE-2023-22932: In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through
In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0.
nvd
CVE-2024-45738P4MEDIUMCVSS 4.9≥ 9.3, < 9.3.1≥ 9.2, < 9.2.3+1 more2024-10-14
CVE-2024-45738 [MEDIUM] CWE-200 CVE-2024-45738: In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensit
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the `_internal` index. This exposure could happen if you configure the Splunk Enterprise `REST_Calls` log channel at the DEBUG logging level.
nvd
CVE-2025-20383P4MEDIUMCVSS 4.3≥ 10.0, < 10.0.2≥ 9.4, < 9.4.6+2 more2025-12-03
CVE-2025-20383 [MEDIUM] CWE-200 CVE-2025-20383: In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description o
nvd
CVE-2023-46213P4MEDIUMCVSS 4.8≥ 9.0, < 9.0.7≥ 9.1, < 9.1.22023-11-16
CVE-2023-46213 [MEDIUM] CWE-79 CVE-2023-46213: In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highli
In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.
nvd
CVE-2023-22938P4MEDIUMCVSS 4.3≥ 8.1, < 8.1.13≥ 8.2, < 8.2.10+1 more2023-02-14
CVE-2023-22938 [MEDIUM] CWE-285 CVE-2023-22938: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint let
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance.
nvd
CVE-2024-45734P4MEDIUMCVSS 4.3≥ 9.2, < 9.2.3≥ 9.1, < 9.1.62024-10-14
CVE-2024-45734 [MEDIUM] CWE-284 CVE-2024-45734: In Splunk Enterprise versions 9.3.0, 9.2.3, and 9.1.6, a low-privileged user that does not hold the
In Splunk Enterprise versions 9.3.0, 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local i
nvd
CVE-2025-20300P4MEDIUMCVSS 4.3≥ 9.4, < 9.4.2≥ 9.3, < 9.3.5+2 more2025-07-07
CVE-2025-20300 [MEDIUM] CWE-863 CVE-2025-20300: In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform version
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression
nvd
CVE-2022-37439P4MEDIUMCVSS 5.5≥ 8.2, < 8.2.7.1≥ 8.1, < 8.1.112022-08-16
CVE-2022-37439 [MEDIUM] CWE-409 CVE-2022-37439: In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially c
In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file.
nvd
CVE-2023-22937P4MEDIUMCVSS 4.3≥ 8.1, < 8.1.13≥ 8.2, < 8.2.10+1 more2023-02-14
CVE-2023-22937 [MEDIUM] CWE-20 CVE-2023-22937: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl.
nvd
CVE-2023-32717P4MEDIUMCVSS 4.3≥ 8.1, < 8.1.14≥ 8.2, < 8.2.11+1 more2023-06-01
CVE-2023-32717 [MEDIUM] CWE-285 CVE-2023-32717: On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.
nvd
CVE-2023-22931P4MEDIUMCVSS 4.3≥ 8.1, < 8.1.13≥ 8.2, < 8.2.102023-02-14
CVE-2023-22931 [MEDIUM] CWE-285 CVE-2023-22931: In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overw
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
nvd
CVE-2024-53245P4MEDIUMCVSS 4.3≥ 9.2, < 9.2.4≥ 9.1, < 9.1.72024-12-10
CVE-2024-53245 [MEDIUM] CWE-200 CVE-2024-53245: In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below
In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles, that has a username with the same name as a role with read access to dashboards, could see the dashboard name and the dashboard XML by cloning the dashboard.
nvd
CVE-2024-45735P4MEDIUMCVSS 4.3≥ 9.2, < 9.2.3≥ 9.1, < 9.1.62024-10-14
CVE-2024-45735 [MEDIUM] CWE-284 CVE-2024-45735: In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cl
In Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the "admin" or "power" Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway A
nvd
CVE-2024-53243P4MEDIUMCVSS 4.3≥ 9.3, < 9.3.2≥ 9.2, < 9.2.4+1 more2024-12-10
CVE-2024-53243 [MEDIUM] CWE-200 CVE-2024-53243: In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could see alert search query responses using Splunk Secure Gateway App Key Value Store (KVstore) collections e
nvd
CVE-2024-36989P4MEDIUMCVSS 4.3≥ 9.2, < 9.2.2≥ 9.1, < 9.1.5+1 more2024-07-01
CVE-2024-36989 [MEDIUM] CWE-284 CVE-2024-36989: In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions belo
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive.
nvd
CVE-2025-20323P4MEDIUMCVSS 4.3≥ 9.4, < 9.4.3≥ 9.3, < 9.3.5+2 more2025-07-07
CVE-2025-20323 [MEDIUM] CWE-284 CVE-2025-20323: In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.
nvd
CVE-2022-43561P4MEDIUMCVSS 4.8≥ 8.1, < 8.1.12≥ 8.2, < 8.2.9+1 more2022-11-03
CVE-2022-43561 [MEDIUM] CWE-79 CVE-2022-43561: In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” S
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled.
nvd
CVE-2025-20227P4MEDIUMCVSS 4.3≥ 9.4, < 9.4.1≥ 9.3, < 9.3.3+2 more2025-03-26
CVE-2025-20227 [MEDIUM] CWE-20 CVE-2025-20227: In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versio
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.112, 9.2.2403.115, 9.1.2312.208 and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards whi
nvd
CVE-2025-20321P4MEDIUMCVSS 4.3≥ 9.4, < 9.4.3≥ 9.3, < 9.3.5+2 more2025-07-07
CVE-2025-20321 [MEDIUM] CWE-352 CVE-2025-20321: In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versio
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potent
nvd
CVE-2022-26070P4MEDIUMCVSS 4.3vVersion(s) before 8.1.02022-05-06
CVE-2022-26070 [MEDIUM] CWE-200 CVE-2022-26070: When handling a mismatched pre-authentication cookie, the application leaks the internal error messa
When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.
nvd