Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise

Advisory ID: SVD-2023-0207

CVE ID: CVE-2023-22937

Published: 2023-02-14

Last Update: 2023-02-14

CVSSv3.1 Score: 4.3, Medium


Bug ID: SPL-229185


In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see About lookups.


For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.12 and lower8.1.13
Splunk Enterprise8.2Splunk Web8.2.0 to
Splunk Enterprise9.0Splunk Web9.0.0 to
Splunk Cloud Platform-Splunk Web9.0.2209 and lower9.0.2209.3

Mitigations and Workarounds

This vulnerability requires a user to hold a role with the ‘upload_lookup_files’ capability to exploit. An administrator can remove this role from user accounts to mitigate the vulnerability. For additional information on Splunk roles, refer to Define roles on the Splunk platform with capabilities.


This search provides assistance in identifying lookup file uploads with non-standard extensions.


Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.