Sensitive Information Disclosure through the storage/passwords REST Endpoint in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes when they access the `/servicesNS/-/-/storage/passwords` REST endpoint through the `|rest` Search Processing Language (SPL) command.<br><br>The exposure happens because the `|rest` SPL command returns the `encr_password` field in the results of the `/servicesNS/-/-/storage/passwords` REST endpoint.
What this means
In plain English
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes when they access the `/servicesNS/-/-/storage/passwords` REST endpoint through the `|rest` Search Processing Language (SPL) command.<br><br>The exposure happens because the `|rest` SPL command returns the `encr_password` field in the results of the `/servicesNS/-/-/storage/passwords` REST endpoint. Information disclosure can expose data available to the affected component beyond its intended authorization boundary.
Recommended action
Primary action: update to a vendor-listed fixed release: 10.4.1, 10.2.5, 10.0.8, 9.4.13, 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, 10.1.2507.24.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- Splunk Enterprise 10.4 before 10.4.1
- Splunk Enterprise 10.2 before 10.2.5
- Splunk Enterprise 10.0 before 10.0.8
- Splunk Enterprise 9.4 before 9.4.13
- Splunk Cloud Platform 10.5.2605 before 10.5.2605.0
- Splunk Cloud Platform 10.4.2604 before 10.4.2604.6
- Splunk Cloud Platform 10.3.2512 before 10.3.2512.15
- Splunk Cloud Platform 10.2.2510 before 10.2.2510.18
- Splunk Cloud Platform 10.1.2507 before 10.1.2507.24
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 10.4.1
- 10.2.5
- 10.0.8
- 9.4.13
- 10.5.2605.0
- 10.4.2604.6
- 10.3.2512.15
- 10.2.2510.18
- 10.1.2507.24
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 10.4.1, 10.2.5, 10.0.8, 9.4.13, 10.5.2605.0, 10.4.2604.6. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.