{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "Splunk Web (port 8000) proxied PostgreSQL sidecar recovery/backup+restore endpoints, AUTHENTICATED (Splunk token), reached from a remote network attacker container on a shared Docker network. The fix requires auth but does not sanitize the database connection string parameter.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "splunk/splunk:10.0.7 (FIXED build - bypass target, PostgreSQL sidecar with auth enforced)",
    "splunk/splunk:10.0.6 (vulnerable control, unauthenticated access confirmed)",
    "postgres:16-alpine (attacker-controlled Postgres with postgres_admin role + malicious pwn()/pwn_variant() functions)",
    "docker network splunknet_variant (remote attacker <-> Splunk Web port 8000)"
  ],
  "proof_artifacts": [
    "vuln_variant/variant_bypass_proof.txt",
    "vuln_variant/variant_rce_marker.txt",
    "artifacts/http/variant_backup_resp.json",
    "artifacts/http/variant_restore_resp.json",
    "artifacts/http/variant_fixed_unauth_control.txt",
    "artifacts/http/variant_vuln_control.txt",
    "artifacts/http/ssg_enable_modular_input.FIXED_ORIGINAL.py",
    "artifacts/http/ssg_enable_modular_input.FIXED_AFTER_VARIANT.py",
    "logs/vuln_variant/variant_reproduction.log"
  ],
  "notes": "negative_control_unauth_blocked=True control_vuln_unauth_allowed=False variant_backup_hostaddr=True variant_file_write_lo_export=True variant_rce_splunk_user=True attacker_pg_ip=172.21.0.2 pgpass=/opt/splunk/var/packages/data/postgres/db/.pgpass token_length=116"
}
