QID 379303

Splunk software helps capture, index and correlate real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards and visualizations.
Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine.

Note: This vulnerability only affects Splunk Enterprise for Windows. Affected Versions:
Splunk Enterprise versions from 9.0.0 prior to 9.0.8
Splunk Enterprise versions from 9.1.0 prior to 9.1.3

QID Detection Logic (Authenticated)
Linux: Checks for installed vulnerable version of Splunk Enterprise from "/etc/splunk.version" file either in "/opt/splunk" directory or using "$SPLUNK_HOME" environment variable along with splunk web configuration check using "/etc/system/default/limit.conf" or "/etc/system/local/limit.conf".
Windows: Checks for installed vulnerable version of Splunk from "/etc/splunk.version" file using registry "HKLM\SYSTEM\CurrentControlSet\Services\Splunkd".

Successful exploitation of this vulnerability results in the unsafe deserialization of untrusted data from a separate disk partition on the machine.