CVE-2024-23676: 
Splunk Enterprise vulnerability analysis and mitigation

A vulnerability was identified in Splunk versions below 9.0.8 and 9.1.3, where the 'mrollup' SPL command allows low-privileged users to view metrics on indexes they shouldn't have permission to access. The vulnerability was disclosed on January 22, 2024, and requires user interaction from a high-privileged user to be exploited (Splunk Advisory).

The vulnerability has been assigned a CVSSv3.1 score of 4.6 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The issue specifically affects the Splunk Web component in Splunk Enterprise versions 9.0.0 to 9.0.7 and 9.1.0 to 9.1.2, as well as Splunk Cloud versions below 9.1.2308.200. The vulnerability is tracked under bug ID SPL-245947 and is classified as CWE-20 (Splunk Advisory).

The vulnerability allows unauthorized access to metrics data, potentially exposing sensitive information from indexes that should be restricted. The impact is considered moderate as it requires specific conditions to be exploited and only affects metrics data visibility (Splunk Advisory).

Splunk has released patches to address this vulnerability in versions 9.0.8 and 9.1.3. For users unable to upgrade immediately, recommended workarounds include disabling Splunk Web on instances in distributed environments where users don't need to log in, and removing authorization to search metrics indexes for users who don't require access. Splunk Cloud Platform instances are being actively monitored and patched by Splunk (Splunk Advisory).