Insecure File Upload in the indexing/preview REST endpoint

Advisory ID: SVD-2024-0707

CVE ID: CVE-2024-36987

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-434

Bug ID: VULN-10327

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.

The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.19.2.2
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.49.1.5
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.99.0.10
Splunk Cloud Platform9.1.2312Splunk WebBelow 9.1.2312.2009.1.2312.200

Mitigations and Workarounds

The vulnerability would likely affect instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.

Detections

None

Severity

Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.

Acknowledgments

Kyle Bambrick, Splunk