CVE-2024-45741
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform where low-privileged users can create malicious configuration files that execute unauthorized JavaScript in other users' browsers. The vulnerability affects users without admin or power roles who can access the affected endpoint. Successful exploitation requires an attacker to have authenticated access to the Splunk instance.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An authenticated low-privileged user could execute arbitrary JavaScript in the browser of other users, potentially stealing session cookies, performing actions as the victim user, or conducting further attacks within the Splunk environment.
Likely Case
Low-privileged authenticated users could perform limited XSS attacks against other users, potentially stealing session data or performing unauthorized actions within the victim's browser context.
If Mitigated
With proper role-based access controls and input validation, the attack surface is limited to authenticated users with specific permissions, reducing the overall risk.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of Splunk configuration file structure. The vulnerability is in the api.uri parameter handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise 9.2.3, 9.1.6; Splunk Cloud Platform 9.2.2403.108, 9.1.2312.205
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-1011
Restart Required: Yes
Instructions:
1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch according to Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Restrict access to affected endpoint
allLimit access to the /manager/search/apps/local endpoint to only users who absolutely need it.
Configure Splunk's role-based access control to restrict endpoint access
Implement Content Security Policy
allAdd Content Security Policy headers to mitigate XSS impact
Configure web server or Splunk to include CSP headers
🧯 If You Can't Patch
- Review and restrict user permissions, ensuring only necessary users have access to create custom configuration files
- Implement network segmentation to isolate Splunk instances and limit lateral movement potential
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via the web interface (Settings > Server Settings > General Settings) or command lineCheck Version:
On Splunk server: $SPLUNK_HOME/bin/splunk versionVerify Fix Applied:
Verify the version is equal to or higher than the patched versions listed in the fix section📡 Detection & Monitoring
Log Indicators:
- Unusual configuration file creation/modification events
- Suspicious access patterns to /manager/search/apps/local endpoint
Network Indicators:
- Unusual outbound connections from Splunk web interface
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
index=_internal source=*web_access.log uri_path="/manager/search/apps/local" | stats count by clientip, user