https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/674899#M18419 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253265">@sgabriel1962</a>&nbsp;</P><P>As you noticed yourself, you're responding to an old thread regarding a relatively old and unsupported version of Splunk. So even if your problem seems similar, it is quite likely that it's caused by different thing (especially that original one was supposed to be due to a but which should have been patched long ago).</P><P>Instead of digging up an old thread, it's better to create a new one with a detailed description of your problem (and possibly a link to the old thread as a reference to something you'd found while looking for solutions but what may not be applicable to your situation).</P> Fri, 19 Jan 2024 21:08:53 GMT PickleRick 2024-01-19T21:08:53Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489717#M9467 <P>I have upgraded Splunk Enterprise to 7.2.4.2 as well as the forwarder. However, the Splunk Information Disclosure Vulnerability remains an issue. I can reach this URL unathenticated (https://&lt;&gt;:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json) and receive the disclosed server info. The upgrade should've resolved it per the Splunk doc. (Nessus Plug-in 121164)</P> Wed, 30 Sep 2020 04:31:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489717#M9467 wuka1988 2020-09-30T04:31:58Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489718#M9468 <P>Are you running an authenticated scan against the endpoint with credentials?</P> <P>The CVE as discussed here: <A href="https://www.splunk.com/view/SP-CAAAP5E">https://www.splunk.com/view/SP-CAAAP5E</A><BR /> Addresses the issue by moving the endpoint to an authenticated request in versions &gt;6.6.0.</P> <P>I am not sure why nessus would still detect this in an unauthenticated request</P> Tue, 10 Mar 2020 08:54:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489718#M9468 nickhills 2020-03-10T08:54:05Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489719#M9469 <P>Well, its not Nessus. It's a Splunk issue. I can reach this URL unauthenticated (https://&lt;&gt;:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json) and get the disclosed information.</P> Wed, 30 Sep 2020 04:32:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489719#M9469 wuka1988 2020-09-30T04:32:19Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489720#M9470 <P><STRONG>Fixed it</STRONG>. The restmap.conf file (Splunk/etc/system/local/restmap.conf) was set to allow unauthenticated users to view system information through a REST endpoint. The stanzas should read as follows:</P> <P>[admin:server-info]<BR /> requireAuthentication = true</P> <P>[admin:server-info-alias]<BR /> requireAuthentication = true</P> Tue, 10 Mar 2020 16:49:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/489720#M9470 wuka1988 2020-03-10T16:49:31Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/674891#M18418 <P>I have a similar situation in my environment - making the changes to the restmap.conf prevents the App Launcher from loading&nbsp; this is true&nbsp; -&nbsp; and I have version 9.1.2&nbsp; where the fix must should have been fixed</P><P>&nbsp;</P> Fri, 19 Jan 2024 19:56:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/674891#M18418 sgabriel1962 2024-01-19T19:56:55Z https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/674899#M18419 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253265">@sgabriel1962</a>&nbsp;</P><P>As you noticed yourself, you're responding to an old thread regarding a relatively old and unsupported version of Splunk. So even if your problem seems similar, it is quite likely that it's caused by different thing (especially that original one was supposed to be due to a but which should have been patched long ago).</P><P>Instead of digging up an old thread, it's better to create a new one with a detailed description of your problem (and possibly a link to the old thread as a reference to something you'd found while looking for solutions but what may not be applicable to your situation).</P> Fri, 19 Jan 2024 21:08:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/Information-Disclosure-Vulnerability-Splunk-7-2-4-2/m-p/674899#M18419 PickleRick 2024-01-19T21:08:53Z