Splunk Enterprise has multiple vulnerabilities that can lead to Cross-site Scripting (XSS), Denial of Service (DoS), Remote code execution, Privilege Escalation, and Path Traversal. The severities of these vulnerabilities range between 6.3 (Medium) to 8.8 (High).
Splunk has addressed these vulnerabilities and has released security advisories for patching them.
An attacker can exploit this vulnerability by sending a crafted web request on the “/app/search/table” endpoint leading to the execution of arbitrary commands on the Splunk Platform. This vulnerability exists due to improper input validation. The CVSS score for this vulnerability is given as 8.4 (High).
A threat actor can exploit this vulnerability by sending a malformed SAML (Security Assertion Markup Language) request to the /saml/acs REST endpoint, which can cause a Denial of Service (DoS).
This vulnerability exists due to the fact that the SAML XML parser does not fail the signature validation for the malformed URI. The CVSS score for this vulnerability is given as 6.3 (Medium).
The printf function has improper expression validation in combination with commands like fieldformat. An attacker can exploit this vulnerability to perform a Denial of Service (DoS). The CVSS score for this vulnerability has been given as 6.5 (Medium).
A threat actor can execute arbitrary code on the Splunk Enterprise platform by sending a specially crafted query that can serialize untrusted data. The CVSS score for this vulnerability is given as 8.8 (High).
This vulnerability arises due to an insecure path for the OPENSSLDIR build definition. Splunk Installation creates DLL files and the build system specifies internal build definition. If no build definition is provided, the build system uses the local directory when building the DLL files.
OPENSSLDIR build definition is not provided at build time, resulting in its insecure path getting encoded into the affected DLL files. A threat actor can exploit this to create a directory structure on the Splunk Enterprise instance, thereby installing malicious code that can escalate privileges. The CVSS score for this vulnerability is given as 7.0 (High).
An attacker with write access to the drive on Splunk Enterprise instances can exploit this vulnerability by using the runshellscript.py script. This script has insufficient user validation that lets attackers run a script on the root directory of another disk on the machine.
This can be used to perform absolute path traversal to execute arbitrary code on a separate disk. The CVSS score for this vulnerability has been given as 7.8 (High).
| Vulnerabilities | CVE | Product | Version | Component | Affected Version | Fix Version |
| Reflected Cross-site Scripting (XSS) | CVE-2023-40592 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 | ||
| Splunk Cloud | – | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 | ||
| Denial of Service (DoS) | CVE-2023-40593 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Cloud | – | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 | ||
| Denial of Service (DoS) | CVE-2023-40594 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 | ||
| Splunk Cloud | – | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 | ||
| Remote Code Execution | CVE-2023-40595 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 | ||
| Splunk Cloud | – | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 | ||
| Windows Privilege Escalation | CVE-2023-40596 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 | ||
| Absolute Path Traversal | CVE-2023-40597 | Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 | ||
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 | ||
| Splunk Cloud | – | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 |
As per the Splunk Security Advisories, users of these products are recommended to upgrade to the latest version to fix these vulnerabilities.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…