Absolute Path Traversal in Splunk Enterprise Using runshellscript.py

Advisory ID: SVD-2023-0806

CVE ID: CVE-2023-40597

Published: 2023-08-30

Last Update: 2023-08-30

CVSSv3.1 Score: 7.8, High

CWE: CWE-36

Bug ID: VULN-5304

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.

The exploit requires the attacker to have write access to the drive on which they place the exploit script.

The exploit is more accessible on Splunk Enterprise instances that run on Windows but is applicable to any operating system.

Solution

Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1.

Splunk is actively monitoring and patching Splunk Cloud Systems.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk Cloud-Splunk Web9.0.2305.100 and below9.0.2305.200

Mitigations and Workarounds

No mitigations

Detections

None

Severity

Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Acknowledgments

Danylo Dmytriiev (DDV_UA)