Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise
Advisory ID: SVD-2023-0208
CVE ID: CVE-2023-22938
Last Update: 2023-02-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Bug ID: SPL-229337
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance.
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.12 and lower||8.1.13|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.9||8.2.10|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.3||9.0.4|
|Splunk Cloud Platform||-||Splunk Web||9.0.2209 and lower||9.0.2212|
Mitigations and Workarounds
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
James Ervin, Splunk