CPE
Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)
1 TTP 1 CVEAn authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.
Splunk XSS Privilege Escalation via Custom URLs in Dashboard (CVE-2024-36992)
2 rules 1 TTP 1 CVEA critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform, allowing attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards via malicious POST requests to the `splunk_internal_metrics/data/ui/views` endpoint, leading to the creation of new user accounts with elevated access permissions on the Splunk server.
Splunk User Enumeration Attempt Detection
1 TTP 1 CVEAn attacker is attempting to enumerate valid Splunk usernames by repeatedly submitting failed authentication attempts from a single source, as detected by monitoring the `_audit` index for multiple login failures, which is a precursor to credential-based attacks like password spraying or brute force, potentially leading to unauthorized access and sensitive data exposure.
Splunk RCE via User XSLT Exploitation (CVE-2023-46214)
1 rule 1 TTP 1 CVEThis brief identifies potential remote code execution (RCE) attempts targeting Splunk servers by exploiting CVE-2023-46214, a vulnerability related to user-supplied Extensible Stylesheet Language Transformations (XSLT) that allows attackers to execute arbitrary code leading to full system compromise.
Splunk RCE Through Arbitrary File Write to Windows System Root
2 rules 3 TTPs 2 CVEsA critical vulnerability (CVE-2024-45731, CVE-2024-45733) in Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6 allows low-privileged users to perform arbitrary file writes to the Windows system root directory (C:\Windows\System32) when Splunk is installed on a separate drive, enabling remote code execution through insecure session storage configuration.
Splunk Authentication Token Exposure in Debug Logs (CVE-2024-29945)
1 rule 1 TTP 1 CVEA critical vulnerability, CVE-2024-29945, allows for the exposure of authentication tokens in debug logs within Splunk Enterprise and Splunk Cloud, enabling an attacker with access to internal log files to gain unauthorized access, exfiltrate data, and potentially achieve full compromise of the Splunk infrastructure if unpatched versions (prior to 9.2.1, 9.1.4, and 9.0.9 for Enterprise) are in use.