LoFP LoFP / this search is highly specific for vulnerable versions of splunk add-on builder. there are no known false positives.

Techniques

Sample rules

Splunk Information Disclosure in Splunk Add-on Builder

Description

In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.

Detection logic


| rest /services/apps/local 
| search disabled=0 core=0 label="Splunk Add-on Builder" 
| dedup label 
| search version < 4.1.4 
| eval WarningMessage="Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111" 
| table label version WarningMessage 
| `splunk_information_disclosure_in_splunk_add_on_builder_filter`