Absolute Path Traversal in Splunk Enterprise Using runshellscript.py
Advisory ID: SVD-2023-0806
CVE ID: CVE-2023-40597
Published: 2023-08-30
Last Update: 2023-10-18
CVSSv3.1 Score: 7.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-36
Bug ID: VULN-5304
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.
The exploit requires the attacker to have write access to the drive on which they place the exploit script.
This vulnerability only affects Splunk Enterprise Instances that run on Windows.
Solution
Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1.
This vulnerability does not affect Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
| Splunk Cloud | - | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 |
Mitigations and Workarounds
No mitigations
Detections
Severity
Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.
This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)
Changelog
- 2023-10-18: Added additional details to the description and severity to clarify that this vulnerability only affects instances that run on Windows machines