CVE-2024-53246: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2024-53246 affects Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.3.2408.101, 9.2.2406.106, 9.2.2403.111, and 9.1.2312.206. The vulnerability involves an SPL command that can potentially disclose sensitive information, with the discovery date being December 10, 2024 (Splunk Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while Splunk rates it at 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is associated with CWE-319 (Cleartext Transmission of Sensitive Information). Importantly, successful exploitation requires the presence of another vulnerability, specifically a Risky Commands Bypass. The potential issue does not disclose indexed data or sensitive information concerning the default Splunk Enterprise instance (Splunk Advisory).

The vulnerability could lead to the disclosure of sensitive information if successfully exploited. However, the severity and impact may vary based on the information stored in the secrets store. For organizations that do not use the functionality to store sensitive information, the impact would be minimal and considered informational (Splunk Advisory).

The recommended fix involves upgrading Splunk Enterprise to versions 9.3.2, 9.2.4, 9.1.7, or higher. Additionally, users should add 'viewcleartextsplrest = false' under the [storagepasswords_masking] stanza in the limits.conf configuration file, followed by a restart of the Splunk Enterprise instance. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances (Splunk Advisory).