CVE-2024-36995 – This CVE allows low-privileged users without ad... (How to Fix)

Q: What is the severity of CVE-2024-36995?

CVE-2024-36995 has a CVSS score of 5.4 (MEDIUM). This CVE allows low-privileged users without admin or power roles to create experimental items in Splunk Enterprise and Splunk Cloud Platform. This violates intended access controls and could enable unauthorized configuration changes. Affected users include organizations running vulnerable Splunk versions below specified patches.

📋 TL;DR

This CVE allows low-privileged users without admin or power roles to create experimental items in Splunk Enterprise and Splunk Cloud Platform. This violates intended access controls and could enable unauthorized configuration changes. Affected users include organizations running vulnerable Splunk versions below specified patches.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Cloud Platform

Versions: Splunk Enterprise below 9.2.2, 9.1.5, and 9.0.10; Splunk Cloud Platform below 9.1.2312.200 and 9.1.2308.207

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with low-privileged users. No special configuration required.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users create experimental items that disrupt Splunk functionality, modify configurations, or create persistence mechanisms for further attacks.

🟠

Likely Case

Low-privileged users create experimental items that could cause operational issues or configuration drift, requiring administrative cleanup.

🟢

If Mitigated

With proper role-based access controls and monitoring, impact is limited to minor configuration issues that can be quickly detected and reverted.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated low-privileged user access. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise 9.2.2, 9.1.5, 9.0.10; Splunk Cloud Platform 9.1.2312.200, 9.1.2308.207

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0715

Restart Required: Yes

Instructions:

1. Backup Splunk configuration and data. 2. Download appropriate patch version from Splunk downloads. 3. Stop Splunk services. 4. Apply patch following Splunk upgrade documentation. 5. Restart Splunk services. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict Experimental Item Creation

all

Modify role permissions to prevent low-privileged users from creating experimental items.

splunk edit user <username> -role <role_without_experimental_permissions>
splunk edit role <rolename> -capability edit_experimental false

🧯 If You Can't Patch

Review and audit user roles to ensure only authorized users have experimental item creation capabilities.
Implement monitoring for unauthorized experimental item creation in Splunk audit logs.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI. If version is below patched versions, system is vulnerable.

Check Version:

splunk version

Verify Fix Applied:

After patching, verify version is at or above patched versions and test that low-privileged users cannot create experimental items.

📡 Detection & Monitoring

Log Indicators:

Audit logs showing experimental item creation by non-admin/power users
Unauthorized configuration changes in experimental items

Network Indicators:

Unusual API calls to experimental endpoints from non-privileged accounts

SIEM Query:

index=_audit action="edit_experimental" user!=admin user!=power | stats count by user

📊 Metadata

CVE ID: CVE-2024-36995

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-862

Published: July 1, 2024

Last Updated: November 21, 2024

🔗 References

https://advisory.splunk.com/advisories/SVD-2024-0715 Vendor Advisory
https://research.splunk.com/application/84afda04-0cd6-466b-869e-70d6407d0a34 Vendor Advisory
https://advisory.splunk.com/advisories/SVD-2024-0715 Vendor Advisory
https://research.splunk.com/application/84afda04-0cd6-466b-869e-70d6407d0a34 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36995, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Experimental Item Creation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities