‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise
Advisory ID: SVD-2023-0201
CVE ID: CVE-2023-22931
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-285
Bug ID: SPL-216628
DescriptionPermalink
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
SolutionPermalink
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product StatusPermalink
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Search | 8.1.12 and lower | 8.1.13 |
| Splunk Enterprise | 8.2 | Search | 8.2.0 to 8.2.9 | 8.2.10 |
| Splunk Enterprise | 9.0 | Not affected | - | |
| Splunk Cloud Platform | Search | 8.2.2202 and lower | 8.2.2203 |
Mitigations and WorkaroundsPermalink
None
DetectionsPermalink
This hunting search includes the ‘createrss’ command which can be used to identify potential misuse.
SeverityPermalink
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
AcknowledgmentsPermalink
James Ervin, Splunk