Splunk Address Third-Party Packages Vulnerabilities in SOAR Versions

Splunk has released critical security updates addressing multiple vulnerabilities in third-party packages in SOAR versions 6.4.0 and 6.4. 

Published on July 7, 2025, this comprehensive security update remediates various Common Vulnerabilities and Exposures (CVEs) ranging from medium to critical severity levels. 

The vulnerabilities affect essential components, including git, Django, cryptography libraries, and JavaScript packages, requiring immediate attention from security administrators managing Splunk SOAR deployments.

Key Takeaways
1. Splunk addresses multiple critical CVEs including CVE-2024-32002 (git) and CVE-2024-48949 (@babel/traverse) in SOAR versions 6.4.0 and 6.4.1.
2. Third-party components upgraded, including Django, cryptography, jQuery DataTables, and wkhtml removal, covering vulnerabilities from critical to medium severity.
3. All SOAR 6.4 installations below version 6.4.1 must immediately upgrade to 6.4.1 or higher.
4. Unpatched vulnerabilities could enable unauthorized access, code execution, and data manipulation across the core SOAR infrastructure.

Critical Vulnerabilities Addressed

The security advisory identifies several critical-severity vulnerabilities that pose immediate risks to SOAR environments. 

CVE-2024-32002 is a critical severity vulnerability affecting the git package. This vulnerability was identified in Splunk SOAR versions 6.4.0 and 6.4.1 and has been remediated through an upgrade to git version 2.48.1. 

The critical severity rating indicates this vulnerability poses significant security risks and requires immediate attention from system administrators.

CVE-2024-48949 represents another critical severity vulnerability, specifically targeting the @babel/traverse package. 

In Splunk SOAR version 6.4.0, this vulnerability was addressed by upgrading the package to version 7.26.7. 

However, in the subsequent SOAR version 6.4.1, Splunk took the more decisive approach of completely removing the @babel/traverse package to eliminate the vulnerability entirely.

High-Severity Issues

High-severity vulnerabilities include CVE-2024-45230 in Django, CVE-2024-21538 in cross-spawn, CVE-2024-52804 in tornado, CVE-2022-35583 wkhtml vulnerability, CVE-2024-6345 in Setuptools, CVE-2024-39338 in Axios JavaScript library and CVE-2024-49767 in Werkzeug WSGI utility library.

These vulnerabilities could potentially allow unauthorized access, code execution, or data manipulation within the SOAR environment.

Organizations must immediately upgrade to Splunk SOAR version 6.4.1 or higher to remediate all identified vulnerabilities. 

The advisory affects all SOAR base version 6.4 installations below 6.4.1, making this update essential for maintaining security posture.

System administrators should prioritize this update due to the presence of multiple critical and high-severity CVEs. 

Organizations should schedule maintenance windows promptly to deploy these critical security patches and protect their SOAR environments from potential exploitation.

Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now