vulnerability
Splunk: CVE-2024-36983: Command Injection using External Lookups
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:S/C:C/I:C/A:C) | Jul 1, 2024 | Apr 7, 2025 | Oct 31, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
Published
Jul 1, 2024
Added
Apr 7, 2025
Modified
Oct 31, 2025
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.The vulnerability revolves around the currently-deprecated ”runshellscript” command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.
Solution
splunk-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.