Remote Code Execution through dashboard PDF generation component

Advisory ID: SVD-2024-0701

CVE ID: 

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 8.8, High

CWE: CWE-94

Bug ID: VULN-15197

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.203, an authenticated user could execute arbitrary code through the dashboard PDF generation component.

The pdfgen/render REST endpoint uses a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library with a remote code execution vulnerability, as described in Common Vulnerabilities and Exposures (CVE) ID CVE-2023-33733.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2pdfgen9.2.0 to 9.2.19.2.2
Splunk Enterprise9.1pdfgen9.1.0 to 9.1.49.1.5
Splunk Enterprise9.0pdfgen9.0.0 to 9.0.99.0.10
Splunk Cloud Platform9.1.2312pdfgen9.1.2312.100 to 9.1.2312.1089.1.2312.109
Splunk Cloud Platform9.1.2308pdfgenBelow 9.1.2308.2039.1.2308.203

Mitigations and Workarounds

None

Detections

Severity

Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Acknowledgments

Alex Chapman (ajxchapman)