Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic Dashboard
Advisory ID: SVD-2024-1004
CVE ID: CVE-2024-45734
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-284
Bug ID: VULN-16371
Description
In Splunk Enterprise versions below 9.2.3, and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could view images on the machine that runs Splunk Enterprise by using the PDF export feature in Splunk classic dashboards. The images on the machine could be exposed by exporting the dashboard as a PDF, using the local image path in the img tag in the source extensible markup language (XML) code for the Splunk classic dashboard.
Solution
Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6 or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | pdfgen | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | pdfgen | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | pdfgen | 9.1.0 to 9.1.5 | 9.1.6 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. You could turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
Severity
Splunk rates this vulnerability as 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
If the machine where Splunk Enterprise is installed does not contain directories with images in them, then there should be no impact and the severity would be Informational.
If the Splunk Enterprise instance does not run Splunk Web, then there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)