‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise

Advisory ID: SVD-2023-0201

CVE ID: CVE-2023-22931

Published: 2023-02-14

Last Update: 2023-02-14

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-285

Bug ID: SPL-216628


In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.


For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Search8.1.12 and lower8.1.13
Splunk Enterprise8.2Search8.2.0 to
Splunk Enterprise9.0-Not affected-
Splunk Cloud Platform-Search8.2.2202 and lower8.2.2203

Mitigations and Workarounds



This hunting search includes the ‘createrss’ command which can be used to identify potential misuse.


Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N


James Ervin, Splunk