Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint
Advisory ID: SVD-2024-0717
CVE ID: CVE-2024-36997
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 4.6, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Bug ID: VULN-8007
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.9 | 9.0.10 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.100 | 9.1.2312.100 |
Mitigations and Workarounds
The vulnerability is likely to affect instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
Severity
Splunk rates this vulnerability as 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.
Acknowledgments
STÖK / Fredrik Alexandersson