Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon

Advisory ID: SVD-2023-0211

CVE ID: CVE-2023-22941

Published: 2023-02-14

Last Update: 2023-02-14

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-248

Bug ID: SPL-232645


In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).


For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.12 and lower8.1.13
Splunk Enterprise8.2Splunk Web8.2.0 to
Splunk Enterprise9.0Splunk Web9.0.0 to
Splunk Cloud Platform-Splunk Web9.0.2209 and lower9.0.2212

Mitigations and Workarounds



This hunting search provides information on who executed the crashing command, and when and how often the command was executed.


Splunk rated the vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires compromising a user account with the capability to create or edit a Field transformation or run the ‘ingestpreview’ command via Search.


James Ervin, Splunk