CVE-2024-45736

Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a search query with an improperly formatted "INGEST_EVAL" parameter as part of a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) which could crash the Splunk daemon (splunkd).

*Credits: Danylo Dmytriiev (DDV_UA)

CVSS Scores

Splunk Inc.v3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-05 CVE Reserved
2024-10-14 CVE Published
2024-10-17 EPSS Updated
2024-10-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (2)

URL	Tag	Source
https://advisory.splunk.com/advisories/SVD-2024-1006
https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Splunk Search vendor "Splunk"		Splunk Enterprise Search vendor "Splunk" for product "Splunk Enterprise"				>= 9.3.0 < 9.3.1 Search vendor "Splunk" for product "Splunk Enterprise" and version " >= 9.3.0 < 9.3.1"		en		Affected
Splunk Search vendor "Splunk"		Splunk Enterprise Search vendor "Splunk" for product "Splunk Enterprise"				>= 9.2.0 < 9.2.3 Search vendor "Splunk" for product "Splunk Enterprise" and version " >= 9.2.0 < 9.2.3"		en		Affected
Splunk Search vendor "Splunk"		Splunk Enterprise Search vendor "Splunk" for product "Splunk Enterprise"				>= 9.1.0 < 9.1.6 Search vendor "Splunk" for product "Splunk Enterprise" and version " >= 9.1.0 < 9.1.6"		en		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				>= 9.2.2403.0 < 9.2.2403.107 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " >= 9.2.2403.0 < 9.2.2403.107"		en		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				>= 9.1.2312.0 < 9.1.2312.204 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " >= 9.1.2312.0 < 9.1.2312.204"		en		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				>= 9.1.2312.0 < 9.1.2312.111 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " >= 9.1.2312.0 < 9.1.2312.111"		en		Affected