Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SPLUNK_912_CVE-2023-46214.NASLHistoryNov 16, 2023 - 12:00 a.m.
Splunk Enterprise 9.0.0 < 9.0.7, 9.1.0 < 9.1.2 (SVD-2023-1104)
2023-11-1600:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23
splunk
enterprise
vulnerability
authenticated
xslt
upload
rce
security advisory
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
9
Confidence
High
EPSS
0.314
Percentile
97.1%
The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-1104 advisory.
- In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
(CVE-2023-46214)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(185903);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/26");
script_cve_id("CVE-2023-46214");
script_xref(name:"IAVA", value:"2023-A-0647-S");
script_name(english:"Splunk Enterprise 9.0.0 < 9.0.7, 9.1.0 < 9.1.2 (SVD-2023-1104)");
script_set_attribute(attribute:"synopsis", value:
"An application running on a remote web server host is affected by a vulnerability");
script_set_attribute(attribute:"description", value:
"The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the SVD-2023-1104 advisory.
- In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible
stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload
malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
(CVE-2023-46214)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://advisory.splunk.com/advisories/SVD-2023-1104.html");
script_set_attribute(attribute:"solution", value:
"Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. Splunk is actively monitoring and patching Splunk Cloud Platform
instances.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-46214");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Splunk Authenticated XSLT Upload RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(91);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:splunk:splunk");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("splunkd_detect.nasl", "splunk_web_detect.nasl", "macos_splunk_installed.nbin", "splunk_win_installed.nbin", "splunk_nix_installed.nbin");
script_require_keys("installed_sw/Splunk", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras_splunk.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var app_info = vcf::splunk::get_app_info();
var constraints = [
{ 'min_version' : '9.0.0', 'fixed_version' : '9.0.7', 'license' : 'Enterprise' },
{ 'min_version' : '9.1.0', 'fixed_version' : '9.1.2', 'license' : 'Enterprise' }
];
vcf::splunk::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Related
packetstorm
packetstorm
Splunk XSLT Upload Remote Code Execution
2023-12-12 00:00:00
cvelist
cvelist
cve
cve
CVE-2023-46214
2023-11-16 21:15:08
nvd
nvd
CVE-2023-46214
2023-11-16 21:15:08
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up: Dec. 15, 2023
2023-12-15 21:04:18
Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023
2023-12-29 19:38:15
metasploit
metasploit
Splunk Authenticated XSLT Upload RCE
2023-11-28 14:40:05
prion
prion
Remote code execution
2023-11-16 21:15:00
vulnrichment
vulnrichment
zdt
zdt
Splunk XSLT Upload Remote Code Execution Exploit
2023-12-12 00:00:00
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
9
Confidence
High
EPSS
0.314
Percentile
97.1%
Related for SPLUNK_912_CVE-2023-46214.NASL