CVERadar

CVE-2024-29945

High Severity

Splunk

SVRS

66/100

CVSSv3

7.2/10

EPSS

0.00335/1

CVE-2024-29945 is a security vulnerability in Splunk Enterprise that can expose authentication tokens. This occurs in versions prior to 9.2.1, 9.1.4, and 9.0.9 when running in debug mode or with DEBUG logging enabled for the JsonWebToken component, potentially leaking sensitive credentials. With a SOCRadar Vulnerability Risk Score (SVRS) of 66, this vulnerability poses a moderate risk and warrants attention to prevent unauthorized access. While the CVSS score is 7.2, the SVRS reflects real-world threat context, highlighting potential exploitation based on the presence of the "In The Wild" tag. The exposure of authentication tokens can lead to significant security breaches, including unauthorized data access and system compromise. Upgrade to the latest Splunk Enterprise version or disable debug mode and DEBUG logging to mitigate this risk. Failure to address this vulnerability could result in compromised systems and data.

TAGS

In The Wild

VECTOR STRING

CVSS:3.1

AV:N

AC:L

PR:H

UI:N

S:U

C:H

I:H

A:H

PUBLICATION DATE2025-02-28

LAST MODIFIED2024-03-27

SOCRadar

AI Insight

Description:

CVE-2024-29945 is a vulnerability in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9. It allows for the potential exposure of authentication tokens during the token validation process when Splunk Enterprise runs in debug mode or the JsonWebToken component is configured to log its activity at the DEBUG logging level. The SVRS for this CVE is 30, indicating a moderate level of risk.

Key Insights:

Authentication Token Exposure: This vulnerability could allow attackers to obtain authentication tokens, which could be used to gain unauthorized access to Splunk Enterprise.
Debug Mode and Logging Level: The vulnerability is only exploitable when Splunk Enterprise is running in debug mode or when the JsonWebToken component is configured to log its activity at the DEBUG logging level.
Active Exploitation: This vulnerability is actively exploited in the wild, meaning that attackers are actively using it to target systems.

Mitigation Strategies:

Update Splunk Enterprise: Update Splunk Enterprise to version 9.2.1, 9.1.4, or 9.0.9 to address this vulnerability.
Disable Debug Mode: Disable debug mode in Splunk Enterprise to reduce the risk of exploitation.
Configure Logging Level: Configure the JsonWebToken component to log its activity at a level other than DEBUG to reduce the risk of exposure.
Monitor for Suspicious Activity: Monitor Splunk Enterprise for any suspicious activity that could indicate an attack.

Additional Information:

Threat Actors/APT Groups: No specific threat actors or APT groups have been identified as actively exploiting this vulnerability.
Exploit Status: Active exploits have been published for this vulnerability.
CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of this vulnerability, calling for immediate and necessary measures.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-29945 | Splunk Enterprise up to 9.0.8/9.1.3/9.2.0 JsonWebToken Component log file (SVD-2024-0301)

vuldb.com2024-05-06

CVE-2024-29945 | Splunk Enterprise up to 9.0.8/9.1.3/9.2.0 JsonWebToken Component log file (SVD-2024-0301) | A vulnerability was found in Splunk Enterprise up to 9.0.8/9.1.3/9.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component JsonWebToken Component. The manipulation leads to sensitive information in log files. This vulnerability is known as CVE-2024-29945. The

cve-2024-29945

domains

urls

cves

Social Media

No tweets found for this CVE

Affected Software

Configuration 1

Type	Vendor	Product
App	Splunk	splunk

References

Reference	Link
[email protected]	https://advisory.splunk.com/advisories/SVD-2024-0301
[email protected]	https://research.splunk.com/application/9a67e749-d291-40dd-8376-d422e7ecf8b5

CWE Details

CWE ID	CWE Name	Description
CWE-532	Insertion of Sensitive Information into Log File	Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence