In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the admin or power Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the $SPLUNK_HOME/var/run/splunk/apptemp directory due to improper handling and insufficient isolation of temporary files within the apptemp directory.
Weakness
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Splunk | Splunk | 9.3.0 (including) | 9.3.11 (excluding) |
| Splunk | Splunk | 9.4.0 (including) | 9.4.10 (excluding) |
| Splunk | Splunk | 10.0.0 (including) | 10.0.5 (excluding) |
| Splunk | Splunk | 10.2.0 (including) | 10.2.0 (including) |