CVE-2024-53247: 
Splunk Enterprise vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-53247) has been identified in Splunk Enterprise and Splunk Secure Gateway app, affecting versions below 9.3.2, 9.2.4, and 9.1.7 of Splunk Enterprise, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform. The vulnerability allows low-privileged users without 'admin' or 'power' roles to perform Remote Code Execution (RCE). This security flaw was discovered and disclosed on December 10, 2024 (Splunk Advisory).

The vulnerability stems from an unsafe deserialization of data due to an insecure usage of the jsonpickle Python library, classified as CWE-502 (Deserialization of Untrusted Data). The severity of this vulnerability has been rated with a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Splunk Advisory, Security Online).

Successful exploitation of this vulnerability could lead to complete system compromise, allowing attackers to compromise sensitive data, install malware, take control of the system, and disrupt critical services. The vulnerability affects both on-premises Splunk Enterprise installations and cloud-based deployments through the Splunk Secure Gateway app (Security Online).

Splunk has released patches to address this vulnerability. Users are advised to upgrade Splunk Enterprise to versions 9.3.2, 9.2.4, or 9.1.7 or higher, and the Splunk Secure Gateway app to versions 3.4.261 or 3.7.13 or higher. As a temporary mitigation, if immediate patching is not possible, users can disable the Splunk Secure Gateway app, though this will also disable Splunk Mobile, Spacebridge, and Mission Control functionality (Splunk Advisory, ASEC).