‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise
Advisory ID: SVD-2023-0201
CVE ID: CVE-2023-22931
Last Update: 2023-02-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Bug ID: SPL-216628
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Search||8.1.12 and lower||8.1.13|
|Splunk Enterprise||8.2||Search||8.2.0 to 8.2.9||8.2.10|
|Splunk Enterprise||9.0||-||Not affected||-|
|Splunk Cloud Platform||-||Search||8.2.2202 and lower||8.2.2203|
Mitigations and Workarounds
This hunting search includes the ‘createrss’ command which can be used to identify potential misuse.
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
James Ervin, Splunk