CVE-2024-36987: 
Splunk Enterprise vulnerability analysis and mitigation

A vulnerability was identified in Splunk Enterprise and Splunk Cloud Platform affecting versions below 9.2.2, 9.1.5, 9.0.10, and 9.1.2312.200 respectively. The vulnerability (CVE-2024-36987) was disclosed on July 1, 2024, and allows authenticated, low-privileged users without admin or power roles to upload files with arbitrary extensions using the indexing/preview REST endpoint (Splunk Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 6.5 (MEDIUM) according to NIST's assessment (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). The vulnerable endpoint is part of the Upload Data page in Splunk Web, used for running preview searches on uploaded files before indexing. This process generates a file that could potentially be used for XSLT injection and downstream exploits (Splunk Advisory).

The vulnerability primarily affects instances with Splunk Web enabled, allowing low-privileged users to perform unauthorized file uploads, which could potentially lead to XSLT injection and subsequent exploits (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10 or higher. For Splunk Cloud Platform, upgrades are being performed as part of Routine Maintenance. As a workaround, organizations can disable Splunk Web if not necessary for operations (Splunk Advisory).