Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page
Advisory ID: SVD-2023-1103
CVE ID: CVE-2023-46213
Published: 2023-11-16
Last Update: 2023-11-20
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Bug ID: VULN-5768
Description
In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.
This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way.
Solution
Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.6 | 9.0.7 |
Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.1 | 9.1.2 |
Splunk Cloud | - | Splunk Web | Versions below 9.1.2308 | 9.1.2308 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.
Detections
Severity
Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational.
Acknowledgments
Joshua Neubecker
Changelog
- 2023-11-20: Added relevant detection link