{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-20226", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2024-10-10T19:15:13.235Z", "datePublished": "2025-03-26T22:02:10.530Z", "dateUpdated": "2025-03-27T13:50:54.966Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.1"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.3"}, {"version": "9.2", "status": "affected", "versionType": "custom", "lessThan": "9.2.5"}, {"version": "9.1", "status": "affected", "versionType": "custom", "lessThan": "9.1.8"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "9.3.2408", "status": "affected", "versionType": "custom", "lessThan": "9.3.2408.107"}, {"version": "9.2.2406", "status": "affected", "versionType": "custom", "lessThan": "9.2.2406.111"}, {"version": "9.1.2308", "status": "affected", "versionType": "custom", "lessThan": "9.1.2308.214"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the \"/services/streams/search\" endpoint through its \"q\" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."}], "value": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the \"/services/streams/search\" endpoint through its \"q\" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-0305"}], "title": "Risky command safeguards bypass in \u201c/services/streams/search\u201c endpoint through \u201cq\u201c parameter in Splunk Enterprise", "datePublic": "2025-03-26T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "baseScore": 5.7, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", "cweId": "CWE-200"}]}], "source": {"advisory": "SVD-2025-0305"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2025-03-26T22:02:10.530Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-27T13:50:48.378365Z", "id": "CVE-2025-20226", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T13:50:54.966Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-20226", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-27T13:50:48.378365Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T13:50:51.814Z"}}], "cna": {"title": "Risky command safeguards bypass in \u201c/services/streams/search\u201c endpoint through \u201cq\u201c parameter in Splunk Enterprise", "source": {"advisory": "SVD-2025-0305"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "9.4", "lessThan": "9.4.1", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.3", "versionType": "custom"}, {"status": "affected", "version": "9.2", "lessThan": "9.2.5", "versionType": "custom"}, {"status": "affected", "version": "9.1", "lessThan": "9.1.8", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "9.3.2408", "lessThan": "9.3.2408.107", "versionType": "custom"}, {"status": "affected", "version": "9.2.2406", "lessThan": "9.2.2406.111", "versionType": "custom"}, {"status": "affected", "version": "9.1.2308", "lessThan": "9.1.2308.214", "versionType": "custom"}]}], "datePublic": "2025-03-26T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-0305"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the \"/services/streams/search\" endpoint through its \"q\" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the \"/services/streams/search\" endpoint through its \"q\" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-200", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2025-03-26T22:02:10.530Z"}}}, "cveMetadata": {"cveId": "CVE-2025-20226", "state": "PUBLISHED", "dateUpdated": "2025-03-27T13:50:54.966Z", "dateReserved": "2024-10-10T19:15:13.235Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2025-03-26T22:02:10.530Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "49EE75F0-2AD6-4712-9E2A-C000A44E5605", "versionEndExcluding": "9.1.8", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "5B7E20B1-E38E-4F5E-9F89-41FD4C231742", "versionEndExcluding": "9.2.5", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E66E66BA-AFC2-4E0A-B233-9E2C7D985AF0", "versionEndExcluding": "9.3.3", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:9.4.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "AD39F156-52DB-4F43-8528-37500E3AEB89", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E95F34F-276A-4B6C-B317-DB58839B34CE", "versionEndExcluding": "9.1.2308.214", "versionStartIncluding": "9.1.2308", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EBEB019-22E2-4948-AA77-85E0AC8219F8", "versionEndExcluding": "9.2.2406.111", "versionStartIncluding": "9.2.2406.100", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0D477D5-C135-4D18-BC7D-94D4A5F34E1D", "versionEndExcluding": "9.3.2408.107", "versionStartIncluding": "9.3.2408.100", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the \"/services/streams/search\" endpoint through its \"q\" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 9.4.1, 9.3.3, 9.2.5 y 9.1.8, y de Splunk Cloud Platform anteriores a 9.3.2408.107, 9.2.2406.111 y 9.1.2308.214, un usuario con pocos privilegios que no tenga los roles de Splunk \"admin\" o \"power\" podr\u00eda ejecutar una b\u00fasqueda guardada con un comando arriesgado utilizando los permisos de un usuario con m\u00e1s privilegios para eludir las protecciones de SPL para comandos arriesgados en el endpoint \"/services/streams/search\" a trav\u00e9s de su par\u00e1metro \"q\". La vulnerabilidad requiere que el atacante suplante a la v\u00edctima, enga\u00f1\u00e1ndola para que inicie una solicitud en su navegador. El usuario autenticado no deber\u00eda poder explotar la vulnerabilidad a voluntad."}], "id": "CVE-2025-20226", "lastModified": "2025-07-21T20:53:04.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-03-26T22:15:14.483", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2025-0305"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Primary"}]}

{}