Three significant vulnerabilities published in multiple versions of Splunk Enterprise and Splunk Cloud. The vulnerabilities allow for remote code execution, path traversal, and command injection. Splunk has released patches and urges users to update their installations immediately.
CVE-2023-40595 – CVSSv3.1 Score 8.8
Attackers can execute a specially crafted query that they can then use to serialize untrusted data in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1.
CVE-2023-40597 – CVSSv3.1 Score 7.8
Attackers can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1.
CVE-2023-40598 – CVSSv3.1 Score 8.5
Attackers can create an external lookup that calls a legacy internal function, allowing them to inject arbitrary code within the Splunk platform. The vulnerability exploits the deprecated runshellscript command used in scripted alert actions.
To Do
Splunk informed that they are actively monitoring and patching affected instances on the Splunk Cloud Platform.
It has not yet been seen that these vulnerabilities have been exploited in the wild. Meanwhile, users are strongly advised to upgrade to the latest versions of Splunk to close these vulnerabilities.