CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40598 – Command Injection in Splunk Enterprise Using External Lookups
https://notcve.org/view.php?id=CVE-2023-40598
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. • https://advisory.splunk.com/advisories/SVD-2023-0807 https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32158 – Splunk Enterprise deployment servers allow client publishing of forwarder bundles
https://notcve.org/view.php?id=CVE-2022-32158
Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. Los servidores de despliegue de Splunk Enterprise en versiones anteriores a la 8.1.10.1, 8.2.6.1 y 9.0 permiten a los clientes desplegar paquetes de reenvío a otros clientes de despliegue a través del servidor de despliegue. Un atacante que comprometiera un punto final de Universal Forwarder podría utilizar la vulnerabilidad para ejecutar código arbitrario en todos los demás puntos finales de Universal Forwarder suscritos al servidor de despliegue • https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32157 – Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloads
https://notcve.org/view.php?id=CVE-2022-32157
Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation. Los servidores de implementación de Splunk Enterprise en versiones anteriores a 9.0, permiten una descarga no autenticada de paquetes de reenvío. • https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates https://research.splunk.com/application/splunk_process_injection_forwarder_bundle_downloads https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32155 – Universal Forwarder management services allows remote login by default
https://notcve.org/view.php?id=CVE-2022-32155
In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. • https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32154 – Risky commands warnings in Splunk Enterprise Dashboards
https://notcve.org/view.php?id=CVE-2022-32154
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. Los cuadros de mando en Splunk Enterprise versiones anteriores a 9.0, podrían permitir a un atacante inyectar comandos de búsqueda arriesgados en un token de formulario cuando el token es usado en una consulta en una petición de origen cruzado. • https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates https://research.splunk.com/application/splunk_command_and_scripting_interpreter_delete_usage https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_commands https://research.splunk.com/application/splunk_command_and_scripting_interpreter_risky_spl_mltk https://www.splunk.c • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •