Try in Splunk Security Cloud


Reduce the risk of CVE-2018-11409, an information disclosure vulnerability within some older versions of Splunk Enterprise, with searches designed to help ensure that your Splunk system does not leak information to authenticated users.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-06-14
  • Author: David Dorsey, Splunk
  • ID: 1fc34cbc-34e9-43ba-87ab-6811c9e95400


Although there have been no reports of it being exploited, Splunk Enterprise versions through 7.0.1 reportedly have a vulnerability that may expose information through a REST endpoint (read more here: NIST has included it in its vulnerability database (read more here: The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Customers should upgrade to the latest version to reduce the risk of this vulnerability.
Splunk Enterprise exposes partial information about the host operating system, hardware, and Splunk license. Splunk Enterprise before 6.6.0 exposes this information without authentication. Splunk Enterprise 6.6.0 and later exposes this information only to authenticated Splunk users. Based on the information exposure, Splunk characterizes this issue as a low severity impact.
Read more in Splunk’s official response:
A detection search within this Analytic Story looks for vulnerabilities described in CVE-2018-11409: Information Exposure ( If it turns up activities that may be specific, you can use the included investigative searches to return information regarding web activity and network traffic by src_ip.


Name Technique Type
Splunk Enterprise Information Disclosure None TTP


source | version: 1