Insecure File Upload in the indexing/preview REST endpoint
Advisory ID: SVD-2024-0707
CVE ID: CVE-2024-36987
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-434
Bug ID: VULN-10327
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.
The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.1 | 9.2.2 |
Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.4 | 9.1.5 |
Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.9 | 9.0.10 |
Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.200 | 9.1.2312.200 |
Mitigations and Workarounds
The vulnerability would likely affect instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
None
Severity
Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Kyle Bambrick, Splunk