Deserialization of Untrusted Data on Splunk Enterprise for Windows through Path Traversal from Separate Disk Partition

Advisory ID: SVD-2024-0108

CVE ID: CVE-2024-23678

Published: 2024-01-22

Last Update: 2024-01-30

CVSSv3.1 Score: 7.5, High

CWE: CWE-20

Bug ID: SPL-240674

Description

In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.

Solution

Upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.

This vulnerability does not affect Splunk Cloud Platform.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.79.0.8
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.29.1.3

Mitigations and Workarounds

If users do not log in to Splunk Web on instances in a distributed environment, disable Splunk Web on those instances. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

Severity

Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational.

Acknowledgments

Danylo Dmytriiev (DDV_UA)

Changelog

  • 2024-01-26: Added disabling splunkweb as a mitigation.