CVE-2024-53243: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2024-53243 is a security vulnerability discovered in Splunk Enterprise and Splunk Secure Gateway app. The vulnerability was disclosed on December 10, 2024, affecting Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform (Splunk Advisory).

The vulnerability stems from improper access control in the Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints. It has been assigned a CVSS v3.1 base score of 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (Splunk Advisory).

The vulnerability allows low-privileged users who do not hold the 'admin' or 'power' Splunk roles to view alert search query responses through the Splunk Secure Gateway App Key Value Store collections endpoints. This unauthorized access to information could potentially expose sensitive data (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, 9.1.7, or higher. For environments where immediate upgrading is not possible, Splunk recommends disabling the Splunk Secure Gateway App as a workaround. However, it should be noted that disabling the app will affect functionality of Splunk Mobile, Spacebridge, and Mission Control as they rely on functionality in $SPLUNKHOME/etc/apps/splunksecure_gateway (Splunk Advisory).