A low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles can trigger a denial of service by abusing the coldToFrozen.sh script in the splunk_archiver app, which renames critical Splunk directories without enforcing input validation. The flaw allows arbitrary file path manipulation, enabling the attacker to modify essential directories and render the Splunk instance inoperable. The weakness corresponds to CWE-20, representing an insecure input validation failure.

Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.11, and 9.3.12, as well as Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129 are vulnerable to this denial‑of‑service attack.

The CVSS score of 7.1 indicates a high severity risk; the EPSS score is unavailable and the vulnerability does not appear in CISA’s KEV catalog. Based on the description, the likely attack vector is local, requiring an attacker to have a low‑privileged user account on the affected Splunk instance. Once exploited, the attacker can permanently leave the system non‑functional until remediation is performed. The lack of input validation in the script allows renaming of arbitrary directories, a typical compromise of availability.