CVE-2024-53245 LOW

CVE-2024-53245: Information Disclosure due to Username Collision with a Role that has the same Name as the User

Vendor Splunk
Product Splunk Enterprise
Weakness CWE-200 · Info exposure
Published December 10, 2024
Last update February 28, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

In Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles, that has a username with the same name as a role with read access to dashboards, could see the dashboard name and the dashboard XML by cloning the dashboard.

Key dates

02Disclosure timeline

December 10, 2024 CVE published
February 28, 2025 Record updated