QID 379544

Splunk software helps capture, index and correlate real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards and visualizations.
The software potentially exposes authentication tokens during the token validation process. This exposure could happen when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

Affected Versions:
Splunk Enterprise versions from 9.0.0 to 9.0.8
Splunk Enterprise versions from 9.1.0 to 9.1.3
Splunk Enterprise versions from 9.2.0 to 9.2.0.1

QID Detection Logic (Authenticated)
Linux: Checks for installed vulnerable version of Splunk Enterprise from "/etc/splunk.version" file either in "/opt/splunk" directory or using "$SPLUNK_HOME" environment variable along with splunk web configuration check using "/etc/system/default/limit.conf" or "/etc/system/local/limit.conf".
Windows: Checks for installed vulnerable version of Splunk from "/etc/splunk.version" file using registry "HKLM\SYSTEM\CurrentControlSet\Services\Splunkd".
Note: This QID doesn't check for the available workaround, hence marked potential.

Successful exploitation of this vulnerability allows attacker to review roles and capabilities on your instance and restrict internal index access to administrator-level roles.