Absolute Path Traversal in Splunk Enterprise Using runshellscript.py
Advisory ID: SVD-2023-0806
CVE ID: CVE-2023-40597
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 7.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-36
Bug ID: VULN-5304
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.
The exploit requires the attacker to have write access to the drive on which they place the exploit script.
The exploit is more accessible on Splunk Enterprise instances that run on Windows but is applicable to any operating system.
Solution
Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively monitoring and patching Splunk Cloud Systems.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
| Splunk Cloud | - | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 |
Mitigations and Workarounds
No mitigations
Detections
None
Severity
Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Acknowledgments
Danylo Dmytriiev (DDV_UA)