Persistent Cross-Site Scripting (XSS) via props.conf on Splunk Enterprise
Advisory ID: SVD-2024-1011
CVE ID: CVE-2024-45741
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Bug ID: VULN-17034
Description
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create a malicious payload through a custom configuration file that the “api.uri” parameter from the “/manager/search/apps/local” endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user.
Solution
Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Web | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.5 | 9.1.6 |
| Splunk Cloud Platform | 9.2.2403 | Splunk Web | 9.2.2403.100 to 9.2.2403.107 | 9.2.2403.108 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.205 | 9.1.2312.205 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)