CVE-2023-4571

Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Splunk IT Service Intelligence (ITSI) versions below below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.

The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

En Splunk IT Service Intelligence (ITSI) versiones por debajo de 4.13.3, 4.15.3, o 4.17.1, un actor malicioso puede inyectar American National Standards Institute (ANSI) códigos de escape en Splunk ITSI archivos de registro que, cuando una aplicación de terminal vulnerable los lee, puede ejecutar código malicioso en la aplicación vulnerable. Este ataque requiere que un usuario utilice una aplicación de terminal que traduzca los códigos de escape ANSI para leer el archivo de registro malicioso localmente en el terminal vulnerable. La vulnerabilidad también requiere interacción adicional del usuario para tener éxito.

La vulnerabilidad no afecta directamente a Splunk ITSI. El impacto indirecto en Splunk ITSI puede variar significativamente dependiendo de los permisos en la aplicación de terminal vulnerable, así como dónde y cómo el usuario lee el archivo de registro malicioso. Por ejemplo, los usuarios pueden copiar el archivo malicioso de Splunk ITSI y leerlo en su máquina local.

In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.

The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

*Credits: STÖK / Fredrik Alexandersson

CVSS Scores

NISTv3.1 8.6

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-28 CVE Reserved
2023-08-30 CVE Published
2024-10-01 EPSS Updated
2024-10-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-116: Improper Encoding or Escaping of Output
CWE-117: Improper Output Neutralization for Logs

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://advisory.splunk.com/advisories/SVD-2023-0810	2024-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Splunk Search vendor "Splunk"		It Service Intelligence Search vendor "Splunk" for product "It Service Intelligence"				>= 4.13.0 < 4.13.3 Search vendor "Splunk" for product "It Service Intelligence" and version " >= 4.13.0 < 4.13.3"		-		Affected
Splunk Search vendor "Splunk"		It Service Intelligence Search vendor "Splunk" for product "It Service Intelligence"				>= 4.15.0 < 4.15.3 Search vendor "Splunk" for product "It Service Intelligence" and version " >= 4.15.0 < 4.15.3"		-		Affected
Splunk Search vendor "Splunk"		It Service Intelligence Search vendor "Splunk" for product "It Service Intelligence"				4.17.0 Search vendor "Splunk" for product "It Service Intelligence" and version "4.17.0"		-		Affected