PatchSiren cyber security CVE debrief
CVE-2017-5880 Splunk CVE debrief
CVE-2017-5880 is a denial-of-service issue in Splunk Web. A remote authenticated user can send a crafted GET request that crashes the daemon, disrupting availability. The issue was publicly disclosed on 2017-02-04 and is rated CVSS 6.5 (Medium).
- Vendor
- Splunk
- Product
- CVE-2017-5880
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-04
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-04
- Advisory updated
- 2026-05-13
Who should care
Splunk Enterprise and Splunk Light administrators, especially teams running affected 5.0.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, or 6.5.x deployments. Security teams should also care if lower-privilege authenticated users have access to Splunk Web.
Technical summary
NVD describes the flaw as a Splunk Web denial of service caused by a crafted GET request from a remote authenticated user. The weakness is mapped to CWE-20 (Improper Input Validation). NVD’s CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting network reachability, low attack complexity, required low privileges, and high availability impact. Affected versions listed in the corpus include Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.5, 6.3.x before 6.3.9, 6.2.x before 6.2.13, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17, and Splunk Light before 6.5.2.
Defensive priority
High for environments that expose Splunk Web to multiple authenticated users. While this is not a code-execution issue, it can interrupt logging, search, and monitoring workflows by crashing the daemon.
Recommended defensive actions
- Upgrade Splunk Enterprise to the fixed release for your branch: 6.5.2, 6.4.5, 6.3.9, 6.2.13, 6.1.12, 6.0.13, or 5.0.17.
- Upgrade Splunk Light to 6.5.2 or later.
- Limit Splunk Web access to trusted administrative users wherever possible.
- Review authentication and role assignments so only necessary users can reach Splunk Web.
- Monitor for unexpected Splunk Web crashes or repeated service restarts and treat them as potential indicators of abuse.
- Use the vendor advisory referenced in the CVE record for patch guidance and release-specific remediation notes.
Evidence notes
All claims are grounded in the supplied CVE/NVD corpus and the official CVE/NVD records. The corpus states that Splunk Web in specified Splunk Enterprise and Splunk Light versions allows remote authenticated users to cause a denial of service (daemon crash) via a crafted GET request, and lists the affected version ranges and patch levels. NVD also provides the CVSS 3.0 vector and CWE-20 classification.
Official resources
-
CVE-2017-5880 CVE record
CVE.org
-
CVE-2017-5880 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed on 2017-02-04 in the supplied CVE record.