#VU106068 Inclusion of Sensitive Information in Log Files in Splunk Enterprise and Splunk Secure Gateway - CVE-2025-20231

Cybersecurity Help s.r.o.

Published: 2025-03-26

Vulnerability identifier: #VU106068

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-20231

CWE-ID: CWE-532

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Splunk Enterprise
Server applications / IDS/IPS systems, Firewalls and proxy servers
Splunk Secure Gateway
Server applications / Remote management servers, RDP, SSH

Vendor: Splunk Inc.

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the Splunk Secure Gateway exposes user session and authorization tokens in clear text in the splunk_secure_gateway.log file when it calls the /services/ssg/secrets REST endpoint. A remote unprivileged user can gain access to authorization tokens and use them to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Splunk Enterprise: 9.0.9 - 9.0.10, 9.1.3 - 9.1.7, 9.2.0 - 9.2.4, 9.3.0 - 9.3.2, 9.4.0

Splunk Secure Gateway: before 3.7.23

External links
https://advisory.splunk.com/advisories/SVD-2025-0302

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Splunk Secure Gateway App