Splunk Enterprise Path Traversal Vulnerability on Windows
CVE-2024-36991
Key Information:
- Vendor
- Splunk
- Status
- Vendor
- CVE Published:
- 1 July 2024
Badges
What is CVE-2024-36991?
CVE-2024-36991 is a critical vulnerability found in Splunk Enterprise, specifically affecting Windows versions prior to 9.2.2, 9.1.5, and 9.0.10. Splunk Enterprise is a software platform used for searching, monitoring, and analyzing machine-generated data via a web-style interface. The vulnerability allows attackers to perform path traversal attacks on the /modules/messaging/ endpoint, which can enable unauthorized access to sensitive files on the system. This could lead to severe security implications for organizations using affected versions, exposing valuable data and creating opportunities for further exploitation.
Technical Details
The vulnerability arises from insufficient validation of user input within the Splunk Enterprise software architecture. Specifically, when users send crafted requests to the /modules/messaging/ endpoint, an attacker can manipulate the request to traverse directories on the server's file system. This means that attackers can potentially gain access to restricted files and directories that could contain sensitive configuration files or other critical data. The vulnerability is exclusive to Windows systems running older versions of Splunk Enterprise, which may leave a significant number of deployments at risk if they have not been updated.
Impact of the Vulnerability
-
Unauthorized Access to Sensitive Information: Attackers can exploit this vulnerability to access confidential system files and data, potentially including user credentials, configuration details, and other sensitive information that could be misused.
-
Increased Attack Surface for Further Exploits: The ability to access restricted areas of the filesystem can lead to additional vulnerabilities being exploited, as attackers may uncover more attack vectors or deploy malicious payloads on the compromised systems.
-
Potential for Data Breaches: With unauthorized access to critical data, organizations could face severe consequences, such as data breaches that compromise customer information or proprietary business data, leading to financial loss and reputational damage.
Affected Version(s)
Splunk Enterprise 9.2 < 9.2.2
Splunk Enterprise 9.1 < 9.1.5
Splunk Enterprise 9.0 < 9.0.10
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
Week in review: CrowdStrike update causes widespread IT outage, critical Splunk Enterprise flaw - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Faulty CrowdStrike update takes out Windows machines
7 months ago
Help Net SecurityCVE-2024-36991Critical Splunk flaw can be exploited to grab passwords (CVE-2024-36991) - Help Net Security
A recently fixed vulnerability (CVE-2024-36991) affecting Splunk Enterprise on Windows "is more severe than it initially appeared."
7 months ago
References
EPSS Score
12% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by Pentest-Tools.com
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved