CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40598 – Command Injection in Splunk Enterprise Using External Lookups
https://notcve.org/view.php?id=CVE-2023-40598
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. • https://advisory.splunk.com/advisories/SVD-2023-0807 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3997 – Unauthenticated Log Injection In Splunk SOAR
https://notcve.org/view.php?id=CVE-2023-3997
Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. • https://advisory.splunk.com/advisories/SVD-2023-0702 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-32709 – Low-privileged User can View Hashed Default Splunk Password
https://notcve.org/view.php?id=CVE-2023-32709
In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint. • https://advisory.splunk.com/advisories/SVD-2023-0604 https://research.splunk.com/application/a1be424d-e59c-4583-b6f9-2dcc23be4875 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 89%CPEs: 4EXPL: 2CVE-2023-32707 – ‘edit_user’ Capability Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-32707
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. En las versiones de Splunk Enterprise anteriores a 9.0.5, 8.2.11 y 8.1.14, y de Splunk Cloud Platform anteriores a la versión 9.0.2303.100, un usuario con pocos privilegios que tenga un rol que tenga asignada la capacidad de "edit_user" puede escalar sus privilegios a los del usuario administrador proporcionando solicitudes web especialmente manipuladas. Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14 allows low-privileged users who hold a role with edit_user capability assigned to it the ability to escalate their privileges to that of the admin user by providing specially crafted web requests. • https://www.exploit-db.com/exploits/51747 https://github.com/9xN/CVE-2023-32707 https://advisory.splunk.com/advisories/SVD-2023-0602 https://research.splunk.com/application/39e1c326-67d7-4c0d-8584-8056354f6593 - • CWE-285: Improper Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32713 – Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream
https://notcve.org/view.php?id=CVE-2023-32713
In Splunk App for Stream versions below 8.1.1, a low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user. • https://advisory.splunk.com/advisories/SVD-2023-0607 • CWE-269: Improper Privilege Management •