Deserialization of Untrusted Data on Splunk Enterprise for Windows through Path Traversal from Separate Disk Partition
Advisory ID: SVD-2024-0108
CVE ID: CVE-2024-23678
Published: 2024-01-22
Last Update: 2024-01-30
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-20
Bug ID: SPL-240674
Description
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.
Solution
Upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.
This vulnerability does not affect Splunk Cloud Platform.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.7 | 9.0.8 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.2 | 9.1.3 |
Mitigations and Workarounds
If users do not log in to Splunk Web on instances in a distributed environment, disable Splunk Web on those instances. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.
If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)
Changelog
- 2024-01-26: Added disabling splunkweb as a mitigation.