{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "Splunk Web (port 8000) proxied PostgreSQL sidecar recovery/backup+restore endpoints, unauthenticated, reached from a remote network attacker container on a shared Docker network",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "splunk/splunk:10.0.6 (vulnerable, PostgreSQL sidecar enabled by default)",
    "splunk/splunk:10.0.7 (fixed control, endpoint returns 401)",
    "postgres:16-alpine (attacker-controlled Postgres)",
    "docker network splunknet (remote attacker <-> Splunk Web port 8000)"
  ],
  "proof_artifacts": [
    "artifacts/http/stage1_backup_resp.json",
    "artifacts/http/stage1_created_file.dump",
    "artifacts/http/stage2a_backup_resp.json",
    "artifacts/http/stage2b_restore_resp.json",
    "artifacts/http/ssg_enable_modular_input.ORIGINAL.py",
    "artifacts/http/ssg_enable_modular_input.PAYLOAD.py",
    "artifacts/http/RCE_MARKER.txt",
    "artifacts/http/fixed_control_responses.txt",
    "logs/reproduction_steps.log"
  ],
  "notes": "stage1_file_create=True stage2_arbitrary_content_write=True stage3_rce=True negative_control_blocked=True attacker_pg_ip=172.18.0.2 pgpass=/opt/splunk/var/packages/data/postgres/db/.pgpass"
}
