Login Sign Up

CVE-2024-36991

7.5 HIGH
Path Traversal

📋 TL;DR

This vulnerability allows attackers to perform path traversal attacks on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This could enable unauthorized access to files outside the intended directory. Only Splunk Enterprise installations on Windows operating systems running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Versions below 9.2.2, 9.1.5, and 9.0.10
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: This vulnerability only affects Splunk Enterprise installations on Windows operating systems. Linux and other platforms are not vulnerable.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive system files, potentially obtaining credentials, configuration data, or other confidential information stored on the Windows server.

🟠

Likely Case

Attackers could access Splunk configuration files, logs, or other application data that could be used for further exploitation or information gathering.

🟢

If Mitigated

With proper network segmentation and access controls, the impact would be limited to the Splunk application directory and isolated from critical system files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability affects a specific endpoint and requires Windows OS. No public exploit code has been identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.2, 9.1.5, or 9.0.10

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0711

Restart Required: Yes

Instructions:

1. Download the appropriate patch version from Splunk's official website. 2. Backup your Splunk configuration and data. 3. Stop Splunk services. 4. Install the patch. 5. Restart Splunk services. 6. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Access to /modules/messaging/ Endpoint

all

Use web application firewall or network controls to block or restrict access to the vulnerable endpoint

Network Segmentation

all

Isolate Splunk servers from other critical systems to limit potential lateral movement

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the Splunk server
  • Monitor the /modules/messaging/ endpoint for suspicious access patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Splunk version and confirm it's running on Windows with a version below 9.2.2, 9.1.5, or 9.0.10

Check Version:

splunk version

Verify Fix Applied:

Verify Splunk version shows 9.2.2, 9.1.5, or 9.0.10 or higher after patching

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to /modules/messaging/ endpoint
  • Requests with directory traversal patterns (../, ..\) in the URL

Network Indicators:

  • HTTP requests to /modules/messaging/ with path traversal sequences

SIEM Query:

source="*splunk*" OR source="*web*" (url="*/modules/messaging/*" AND (url="*../*" OR url="*..\*"))

📊 Metadata

CVE ID: CVE-2024-36991
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-35
Published: July 1, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36991, you might also want to check these:

CVE-2025-30515 9.8

CVE-2025-30515 is a path traversal vulnerability in CyberData 011209 Intercom systems that allows au...

Same vulnerability type (CWE-35)
CVE-2025-39467 9.8

This CVE describes a path traversal vulnerability in the Mikado-Themes Wanderland WordPress theme th...

Same vulnerability type (CWE-35)
CVE-2025-41723 9.8

CVE-2025-41723 is a critical directory traversal vulnerability in the importFile SOAP method that al...

Same vulnerability type (CWE-35)