// For flags

CVE-2023-3997

Unauthenticated Log Injection In Splunk SOAR

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

*Credits: STÖK / Fredrik Alexandersson
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-07-28 CVE Reserved
  • 2023-07-31 CVE Published
  • 2023-08-05 EPSS Updated
  • 2024-10-30 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-117: Improper Output Neutralization for Logs
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://advisory.splunk.com/advisories/SVD-2023-0702 2024-04-10
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Splunk
Search vendor "Splunk"
 Soar
Search vendor "Splunk" for product "Soar"
 < 6.1.0
Search vendor "Splunk" for product "Soar" and version " < 6.1.0"
on-premises
Affected
Splunk
Search vendor "Splunk"
 Soar
Search vendor "Splunk" for product "Soar"
 < 6.1.0.131
Search vendor "Splunk" for product "Soar" and version " < 6.1.0.131"
cloud
Affected