CVE-2023-22941 – Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
https://notcve.org/view.php?id=CVE-2023-22941
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd). • https://github.com/eduardosantos1989/CVE-2023-22941 https://advisory.splunk.com/advisories/SVD-2023-0211 https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14 • CWE-248: Uncaught Exception •
CVE-2023-22931 – ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2023-22931
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default. • https://advisory.splunk.com/advisories/SVD-2023-0201 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-276: Incorrect Default Permissions CWE-285: Improper Authorization •
CVE-2023-22935 – SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2023-22935
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. • https://advisory.splunk.com/advisories/SVD-2023-0205 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-22934 – SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2023-22934
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser. • https://advisory.splunk.com/advisories/SVD-2023-0204 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-20: Improper Input Validation CWE-108: Struts: Unvalidated Action Form •
CVE-2023-22940 – SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2023-22940
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled. • https://advisory.splunk.com/advisories/SVD-2023-0210 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-20: Improper Input Validation •