Remote Code Execution through dashboard PDF generation component
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 8.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Bug ID: VULN-15197
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.203, an authenticated user could execute arbitrary code through the dashboard PDF generation component.
The pdfgen/render REST endpoint uses a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library with a remote code execution vulnerability, as described in Common Vulnerabilities and Exposures (CVE) ID CVE-2023-33733.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | pdfgen | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | pdfgen | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | pdfgen | 9.0.0 to 9.0.9 | 9.0.10 |
| Splunk Cloud Platform | 9.1.2312 | pdfgen | 9.1.2312.100 to 9.1.2312.108 | 9.1.2312.109 |
| Splunk Cloud Platform | 9.1.2308 | pdfgen | Below 9.1.2308.203 | 9.1.2308.203 |
Mitigations and Workarounds
None
Detections
Severity
Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Alex Chapman (ajxchapman)