SVD-2023-0213: Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK
In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to...
SVD-2023-0214: Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell)
The Apache Security Team disclosed a critical vulnerability, CVE-2022-42889, that affects the Apache Common Text library. For more information, see the Apache Software Foundation’s advisory. Vulnerability CVE-2022-42889 does not affect Splunk products.
SVD-2023-0215: February Third Party Package Updates in Splunk Enterprise
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.13, 8.2.10, and 9.0.4 of Splunk Enterprise
SVD-2023-0202: Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise
In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions...
SVD-2023-0201: ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.
SVD-2023-0204: SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to...
SVD-2023-0203: Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’.
SVD-2023-0206: Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without...
SVD-2023-0205: SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and...
SVD-2023-0208: Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local...
SVD-2023-0207: Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv,...
SVD-2023-0210: SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for...
SVD-2023-0209: SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within...
SVD-2023-0211: Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
SVD-2023-0212: Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG KV store collections using an HTTP...