Absolute Path Traversal in Splunk Enterprise Using runshellscript.py

Advisory ID: SVD-2023-0806

CVE ID: CVE-2023-40597

Published: 2023-08-30

Last Update: 2023-10-18

CVSSv3.1 Score: 7.8, High

CWE: CWE-36

Bug ID: VULN-5304

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.

The exploit requires the attacker to have write access to the drive on which they place the exploit script.
This vulnerability only affects Splunk Enterprise Instances that run on Windows.

Solution

Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1.

This vulnerability does not affect Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk Cloud-Splunk Web9.0.2305.100 and below9.0.2305.200

Mitigations and Workarounds

No mitigations

Detections

Severity

Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.

This vulnerability only affects Splunk Enterprise Instances that run on Windows machines. If your Splunk platform instance does not run on Windows, it is not affected and this vulnerability is considered informational.

Acknowledgments

Danylo Dmytriiev (DDV_UA)

Changelog

  • 2023-10-18: Added additional details to the description and severity to clarify that this vulnerability only affects instances that run on Windows machines