Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise
Advisory ID: SVD-2023-0207
CVE ID: CVE-2023-22937
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-20
Bug ID: SPL-229185
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see About lookups.
Solution
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.12 and lower | 8.1.13 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.9 | 8.2.10 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.3 | 9.0.4 |
| Splunk Cloud Platform | - | Splunk Web | 9.0.2209 and lower | 9.0.2209.3 |
Mitigations and Workarounds
This vulnerability requires a user to hold a role with the ‘upload_lookup_files’ capability to exploit. An administrator can remove this role from user accounts to mitigate the vulnerability. For additional information on Splunk roles, refer to Define roles on the Splunk platform with capabilities.
Detections
This search provides assistance in identifying lookup file uploads with non-standard extensions.
Severity
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.