Login Sign Up

CVE-2024-45735

4.3 MEDIUM

📋 TL;DR

This vulnerability allows low-privileged users without admin or power roles to view App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App. This affects Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Secure Gateway on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0.

💻 Affected Systems

Products:
  • Splunk Enterprise
  • Splunk Secure Gateway
Versions: Splunk Enterprise < 9.2.3, < 9.1.6; Splunk Secure Gateway on Splunk Cloud Platform < 3.4.259, < 3.6.17, < 3.7.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Splunk Secure Gateway App installed and configured.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk Cloud Platform by Splunk

View all CVEs affecting Splunk Cloud Platform →

Splunk Cloud Platform by Splunk

View all CVEs affecting Splunk Cloud Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could obtain sensitive cryptographic keys and configuration details, potentially enabling further attacks against the KV Store or related systems.

🟠

Likely Case

Unauthorized users gain visibility into sensitive deployment configurations and cryptographic materials, violating the principle of least privilege.

🟢

If Mitigated

With proper role-based access controls, only authorized users can access sensitive configuration data.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated low-privileged access to the Splunk interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise 9.2.3, 9.1.6; Splunk Secure Gateway on Splunk Cloud Platform 3.4.259, 3.6.17, 3.7.0

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-1005

Restart Required: Yes

Instructions:

1. Download the appropriate patch version from Splunk's website. 2. Backup your Splunk configuration. 3. Apply the patch following Splunk's upgrade documentation. 4. Restart Splunk services.

🔧 Temporary Workarounds

Restrict Access to Splunk Secure Gateway App

all

Limit user access to the Splunk Secure Gateway App to only authorized administrators.

🧯 If You Can't Patch

  • Review and restrict user roles to minimize access to Splunk Secure Gateway App.
  • Monitor audit logs for unauthorized access attempts to sensitive configuration data.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI and compare against affected versions.

Check Version:

splunk version

Verify Fix Applied:

Verify Splunk version is at or above patched versions and test that low-privileged users cannot access KV Store deployment configuration.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to KV Store configuration endpoints in Splunk audit logs.

SIEM Query:

index=_audit action="access" app="splunk_secure_gateway" user!=admin user!=power | stats count by user, action

📊 Metadata

CVE ID: CVE-2024-45735
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-284
Published: October 14, 2024
Last Updated: October 16, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45735, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)