An unauthenticated file operation vulnerability in Splunk Enterprise and Cloud Platform could allow attackers to manipulate sensitive files via a vulnerable sidecar service.

The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). It allows any network-reachable, unauthenticated attacker to invoke file creation or truncation operations through a PostgreSQL sidecar service endpoint.

With a CVSS score of 9.8, this vulnerability poses a severe risk to system integrity and data availability. Attackers could potentially disrupt services by truncating configuration files or gain further access by creating malicious files, leading to significant system downtime or unauthorized data modification.

Immediate Action: Update Splunk Enterprise to version 10.4.0, 10.2.4, 10.0.7, or higher, and verify that Splunk Cloud instances are updated to the latest available versions provided by the vendor.

Proactive Monitoring: Review access logs for unusual requests directed at PostgreSQL sidecar service endpoints and monitor for unexpected changes to critical system files.

Compensating Controls: Use network segmentation or a Web Application Firewall (WAF) to restrict access to the vulnerable sidecar service endpoint to authorized internal management IPs only.

Public Exploit Available: False

Due to the critical nature of this vulnerability and the potential for unauthorized file manipulation, immediate patching is required. Organizations should ensure they are running the recommended versions provided in the vendor advisory to mitigate the risk of unauthenticated remote exploitation.