CVE-2024-53244: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter
First published: Tue Dec 10 2024(Updated: )
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.2.2406.107, 9.2.2403.109, and 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on “/en-US/app/search/report“ endpoint through “s“ parameter.<br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Credit: prodsec@splunk.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Splunk Enterprise | <9.3.2<9.2.4<9.1.7 | |
| Splunk Cloud Platform | <9.2.2406.107<9.2.2403.109<9.1.2312.206 | |
| >=9.1.0<9.1.7 | ||
| >=9.2.0<9.2.4 | ||
| >=9.3.0<9.3.2 | ||
| >=9.1.2312<9.1.2312.206 | ||
| >=9.2.2403<9.2.2403.109 | ||
| >=9.2.2406<9.2.2406.107 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-53244?
CVE-2024-53244 has been classified as a low-severity vulnerability.
How do I fix CVE-2024-53244?
To remediate CVE-2024-53244, upgrade Splunk Enterprise to version 9.3.2 or later, or Splunk Cloud Platform to version 9.2.2406.107 or later.
What type of user is affected by CVE-2024-53244?
CVE-2024-53244 affects low-privileged users who do not have the 'admin' or 'power' roles in Splunk.
Which versions of Splunk are affected by CVE-2024-53244?
Versions of Splunk Enterprise below 9.3.2, 9.2.4, and 9.1.7, as well as Splunk Cloud Platform versions below 9.2.2406.107, 9.2.2403.109, and 9.1.2312.206 are affected by CVE-2024-53244.
Can a low-privileged user exploit CVE-2024-53244?
Yes, a low-privileged user can exploit CVE-2024-53244 by running a saved search that contains risky commands.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/severity
- agent/event
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/splunk
- canonical/splunk enterprise
- canonical/splunk cloud platform
- canonical/splunk
- version/splunk/9.1.0
- version/splunk/9.2.0
- version/splunk/9.3.0
- version/splunk cloud platform/9.1.2312
- version/splunk cloud platform/9.2.2403
- version/splunk cloud platform/9.2.2406