SB2025032668 - Multiple vulnerabilities in Splunk Enterprise

Description

This security bulletin contains information about 5 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-20227)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. A remote unprivileged user can bypass the external content warning modal dialog box in Dashboard Studio dashboards.

2) Information disclosure (CVE-ID: CVE-2025-20226)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the "/services/streams/search" endpoint. A remote attacker can trick the victim into initiating a request within their browser and gain access to sensitive information.

3) Information disclosure (CVE-ID: CVE-2025-20232)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the "/app/search/search" endpoint. A remote attacker can trick the victim into initiating a request within their browser and gain access to sensitive information.

4) Cross-site request forgery (CVE-ID: CVE-2025-20228)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website and change the maintenance mode state of App Key Value Store (KVStore).

5) Arbitrary file upload (CVE-ID: CVE-2025-20229)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote unprivileged user can upload a malicious file into the "$SPLUNK_HOME/var/run/splunk/apptemp" directory and execute it on the server.

Remediation

Install update from vendor's website.

References

• https://advisory.splunk.com/advisories/SVD-2025-0306
• https://advisory.splunk.com/advisories/SVD-2025-0305
• https://advisory.splunk.com/advisories/SVD-2025-0304
• https://advisory.splunk.com/advisories/SVD-2025-0303
• https://advisory.splunk.com/advisories/SVD-2025-0301