Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows
Advisory ID: SVD-2024-0711
CVE ID: CVE-2024-36991
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-35
Bug ID: VULN-15637
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows.
The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.
This vulnerability should only affect Splunk Enterprise on Windows.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.9 | 9.0.10 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
Severity
Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)