Unauthenticated Log Injection in Splunk Enterprise

Advisory ID: SVD-2023-0606

CVE ID: CVE-2023-32712

Published: 2023-06-01

Last Update: 2023-10-18

CVSSv3.1 Score: 8.6, High

CWE: CWE-117

Bug ID: SPL-235259


In Splunk Enterprise versions below,, and, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.

Universal Forwarder versions, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations:

  • The forwarders have been configured to have management services active
  • The active management services are exposed and accessible from the network

By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface.

The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.


For Splunk Enterprise, upgrade to version,, or

For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1.

This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface.

Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2-8.2.0 to
Splunk Enterprise9.0-9.0.0 to
Splunk Enterprise9.1-9.1.0 to
Universal Forwarder8.2REST API8.2.11 and below8.2.12
Universal Forwarder9.0REST API9.0.0 to
Universal Forwarder9.1REST API9.1.0 to

Mitigations and Workarounds

As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.

For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost).

For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost.

To deactivate remote management services on Universal Forwarder:

  • In the server.conf configuration file on UF, under the [httpServer] stanza, give the disableDefaultPort setting a value of true, or, under the [general] stanza, give the allowRemoteLogin setting a value of never.

See Configure universal forwarder management security in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the server.conf configuration file, under the [httpServer] stanza, give the mgmtMode setting a value of UDS (or default).


This detection search provides information on possible ANSI Log injection on Splunk Enterprise.


Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Attack Vector:

The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following:

the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).

The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document.

Attack Complexity:

The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability.

Privileges Required:

The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance.

User Interaction:

The vulnerability requires users to open or read the malicious document, file, or log for successful execution.


The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope.


The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application.


STÖK / Fredrik Alexandersson


2023-11-16: Updated Mitigation section. allowRemoteLogin is a server.conf setting, not web.conf.

2023-08-30: Expanded the scope of affected products to include Splunk Universal Forwarder

2023-07-31: Updated and expanded the Description, Solutions, Product Status, Mitigations, Detections, and Severity section to include two related, novel vulnerabilities and to clarify technical inaccuracies. Updated the Product Fix versions from “, 9.0.5, 8.2.11” to “,,” to reflect the fixes for the newly remedied vulnerabilities.