Headline
CVE-2023-40597: Absolute Path Traversal in Splunk Enterprise Using runshellscript.py
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
Advisory ID: SVD-2023-0806
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 7.8, High
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine.
The exploit requires the attacker to have write access to the drive on which they place the exploit script.
The exploit is more accessible on Splunk Enterprise instances that run on Windows but is applicable to any operating system.
Solution
Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively monitoring and patching Splunk Cloud Systems.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.11
8.2.12
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.5
9.0.6
Splunk Enterprise
9.1
Splunk Web
9.1.0
9.1.1
Splunk Cloud
-
Splunk Web
9.0.2305.100 and below
9.0.2305.200
Mitigations and Workarounds
No mitigations
Detections
None
Severity
Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Acknowledgments
Danylo Dmytriiev (DDV_UA)