Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows

Advisory ID: SVD-2024-0711

CVE ID: CVE-2024-36991

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 7.5, High

CWE: CWE-35

Bug ID: VULN-15637

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows.

The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.

This vulnerability should only affect Splunk Enterprise on Windows.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.19.2.2
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.49.1.5
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.99.0.10

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.

Detections

Severity

Splunk rates this vulnerability as 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.

Acknowledgments

Danylo Dmytriiev (DDV_UA)