CVE-2023-40595 – Remote Code Execution via Serialized Session Payload
https://notcve.org/view.php?id=CVE-2023-40595
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. • https://advisory.splunk.com/advisories/SVD-2023-0804 https://research.splunk.com/application/d1d8fda6-874a-400f-82cf-dcbb59d8e4db • CWE-502: Deserialization of Untrusted Data •
CVE-2023-40598 – Command Injection in Splunk Enterprise Using External Lookups
https://notcve.org/view.php?id=CVE-2023-40598
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. • https://advisory.splunk.com/advisories/SVD-2023-0807 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-306: Missing Authentication for Critical Function •
CVE-2023-32709 – Low-privileged User can View Hashed Default Splunk Password
https://notcve.org/view.php?id=CVE-2023-32709
In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint. • https://advisory.splunk.com/advisories/SVD-2023-0604 https://research.splunk.com/application/a1be424d-e59c-4583-b6f9-2dcc23be4875 • CWE-285: Improper Authorization •
CVE-2023-32707 – ‘edit_user’ Capability Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-32707
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. En las versiones de Splunk Enterprise anteriores a 9.0.5, 8.2.11 y 8.1.14, y de Splunk Cloud Platform anteriores a la versión 9.0.2303.100, un usuario con pocos privilegios que tenga un rol que tenga asignada la capacidad de "edit_user" puede escalar sus privilegios a los del usuario administrador proporcionando solicitudes web especialmente manipuladas. Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14 allows low-privileged users who hold a role with edit_user capability assigned to it the ability to escalate their privileges to that of the admin user by providing specially crafted web requests. • https://www.exploit-db.com/exploits/51747 https://github.com/9xN/CVE-2023-32707 https://advisory.splunk.com/advisories/SVD-2023-0602 https://research.splunk.com/application/39e1c326-67d7-4c0d-8584-8056354f6593 - • CWE-285: Improper Authorization •
CVE-2023-32712 – Unauthenticated Log Injection in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2023-32712
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. • https://advisory.splunk.com/advisories/SVD-2023-0606 https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •