‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise
Advisory ID: SVD-2023-0201
CVE ID: CVE-2023-22931
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-285
Bug ID: SPL-216628
Description
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
Solution
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Search | 8.1.12 and lower | 8.1.13 |
| Splunk Enterprise | 8.2 | Search | 8.2.0 to 8.2.9 | 8.2.10 |
| Splunk Enterprise | 9.0 | - | Not affected | - |
| Splunk Cloud Platform | - | Search | 8.2.2202 and lower | 8.2.2203 |
Mitigations and Workarounds
None
Detections
This hunting search includes the ‘createrss’ command which can be used to identify potential misuse.
Severity
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Acknowledgments
James Ervin, Splunk