CVE-2024-36989: 
Splunk Enterprise vulnerability analysis and mitigation

A vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform (CVE-2024-36989) where a low-privileged user without admin or power roles could create notifications in Splunk Web Bulletin Messages that all users on the instance would receive. The affected versions include Splunk Enterprise below 9.2.2, 9.1.5, and 9.0.10, and Splunk Cloud Platform below 9.1.2312.200 (Splunk Advisory).

The vulnerability (CWE-284: Improper Access Control) stems from insufficient access control in the Bulletin Messages system. The CVSS v3.1 base score is rated at 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. The vulnerability specifically affects instances with Splunk Web enabled and allows unauthorized users to send notifications that may contain web links (Splunk Advisory).

The vulnerability could allow low-privileged users to send notifications containing web links to all users on the instance, potentially leading to administrators navigating to other web pages or running searches unexpectedly. This could result in unauthorized communication channels and potential social engineering attacks (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10 or higher. For Splunk Cloud Platform, Splunk is performing upgrades on instances as part of Routine Maintenance. As a workaround, organizations can disable Splunk Web if it's not necessary for operations (Splunk Advisory).