Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.SPLUNK_904_CVE-2023-22940.NASLHistoryFeb 16, 2023 - 12:00 a.m.
Splunk Enterprise 8.1 < 8.1.13, 8.2.0 < 8.2.10, 9.0.0 < 9.0.4 (SVD-2023-0210)
2023-02-1600:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11
splunk enterprise
vulnerability
svd-2023-0210
collect command
unauthorized access
cve-2023-22940
splunk web
0.001 Low
EPSS
Percentile
26.8%
The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0210 advisory.
- In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the collectβ search processing language (SPL) command, including summaryindexβ, sumindexβ, stashβ,β mcollectβ, and meventcollectβ, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.
(CVE-2023-22940)
Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(171564);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/08");
script_cve_id("CVE-2023-22940");
script_xref(name:"IAVA", value:"2023-A-0101-S");
script_name(english:"Splunk Enterprise 8.1 < 8.1.13, 8.2.0 < 8.2.10, 9.0.0 < 9.0.4 (SVD-2023-0210)");
script_set_attribute(attribute:"synopsis", value:
"An application running on a remote web server host is affected by a vulnerability");
script_set_attribute(attribute:"description", value:
"The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the SVD-2023-0210 advisory.
- In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the collect' search processing
language (SPL) command, including summaryindex', sumindex', stash',' mcollect', and meventcollect',
were not designated as safeguarded commands. The commands could potentially allow for the exposing of data
to a summary index that unprivileged users could access. The vulnerability requires a higher privileged
user to initiate a request within their browser, and only affects instances with Splunk Web enabled.
(CVE-2023-22940)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://www.splunk.com/en_us/product-security/announcements/SVD-2023-0210.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c10e1fa4");
script_set_attribute(attribute:"solution", value:
"For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-22940");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/14");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/16");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:splunk:splunk");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("splunkd_detect.nasl", "splunk_web_detect.nasl", "macos_splunk_installed.nbin", "splunk_win_installed.nbin", "splunk_nix_installed.nbin");
script_require_keys("installed_sw/Splunk", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras_splunk.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var app_info = vcf::splunk::get_app_info();
var constraints = [
{ 'min_version' : '8.1', 'fixed_version' : '8.1.13', 'license' : 'Enterprise' },
{ 'min_version' : '8.2.0', 'fixed_version' : '8.2.10', 'license' : 'Enterprise' },
{ 'min_version' : '9.0.0', 'fixed_version' : '9.0.4', 'license' : 'Enterprise' }
];
vcf::splunk::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Related
cvelist
cvelist
prion
prion
Design/Logic Flaw
2023-02-14 18:15:00
nvd
nvd
CVE-2023-22940
2023-02-14 18:15:12
cve
cve
CVE-2023-22940
2023-02-14 18:15:12