Insecure File Upload in the indexing/preview REST endpoint

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.

The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

Mitigations and Workarounds

The vulnerability would likely affect instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.

Detections

None

Severity

Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.

Acknowledgments

Kyle Bambrick, Splunk