CVE-2025-20370

Summary

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability change_authentication, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.

Affected Software

VendorProductVersion RangeStatus
SplunkSplunk Enterprise10.0 < 10.0.1affected
SplunkSplunk Enterprise9.4 < 9.4.4affected
SplunkSplunk Enterprise9.3 < 9.3.6affected
SplunkSplunk Enterprise9.2 < 9.2.8affected
SplunkSplunk Enterprise Cloud9.3.2411 < 9.3.2411.108affected
SplunkSplunk Enterprise Cloud9.3.2408 < 9.3.2408.118affected
SplunkSplunk Enterprise Cloud9.2.2406 < 9.2.2406.123affected

Weaknesses

  • CWE-400: The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References