Login Sign Up

CVE-2024-29945

7.2 HIGH

📋 TL;DR

Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9 may expose authentication tokens during validation when debug logging is enabled. This allows attackers to capture valid tokens and potentially impersonate users. Organizations running affected Splunk versions with debug logging enabled are vulnerable.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Below 9.2.1, 9.1.4, and 9.0.9
Operating Systems: All supported platforms
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when debug logging is enabled for JsonWebToken component or Splunk runs in debug mode.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture valid authentication tokens, gain unauthorized access to Splunk Enterprise, and potentially compromise sensitive log data or pivot to other systems.

🟠

Likely Case

Attackers with access to debug logs obtain authentication tokens and gain unauthorized access to Splunk data and functionality.

🟢

If Mitigated

With debug logging disabled and proper access controls, the exposure surface is minimized, though underlying vulnerability remains.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to debug logs where tokens are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.1, 9.1.4, or 9.0.9

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0301

Restart Required: Yes

Instructions:

1. Download appropriate patched version from Splunk website. 2. Backup current configuration. 3. Install update following Splunk upgrade documentation. 4. Restart Splunk services.

🔧 Temporary Workarounds

Disable Debug Logging

all

Disable debug logging for JsonWebToken component and ensure Splunk is not running in debug mode.

Edit log.cfg to set category.JsonWebToken = WARN
Verify debug mode is disabled in server.conf

🧯 If You Can't Patch

  • Restrict access to debug logs and Splunk management interfaces.
  • Implement network segmentation to isolate Splunk instances from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI, and verify debug logging settings in log.cfg.

Check Version:

splunk version

Verify Fix Applied:

Confirm version is 9.2.1, 9.1.4, or 9.0.9 or higher, and debug logging remains disabled.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to Splunk
  • Unusual authentication patterns
  • Debug logs containing authentication tokens

Network Indicators:

  • Unexpected connections to Splunk management ports
  • Traffic patterns indicating token harvesting

SIEM Query:

index=_internal source=*splunkd.log* "JsonWebToken" DEBUG | search "token"

📊 Metadata

CVE ID: CVE-2024-29945
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Published: March 27, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29945, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)