Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SPLUNK_912_CVE-2023-46214.NASLHistoryNov 16, 2023 - 12:00 a.m.
Splunk Enterprise 9.0.0 < 9.0.7, 9.1.0 < 9.1.2 (SVD-2023-1104)
2023-11-1600:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
splunk
enterprise
vulnerability
authenticated
xslt
upload
rce
security advisory
9 High
AI Score
Confidence
High
The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-1104 advisory.
- In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
(CVE-2023-46214)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(185903);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/26");
script_cve_id("CVE-2023-46214");
script_xref(name:"IAVA", value:"2023-A-0647-S");
script_name(english:"Splunk Enterprise 9.0.0 < 9.0.7, 9.1.0 < 9.1.2 (SVD-2023-1104)");
script_set_attribute(attribute:"synopsis", value:
"An application running on a remote web server host is affected by a vulnerability");
script_set_attribute(attribute:"description", value:
"The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the SVD-2023-1104 advisory.
- In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible
stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload
malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
(CVE-2023-46214)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://advisory.splunk.com/advisories/SVD-2023-1104.html");
script_set_attribute(attribute:"solution", value:
"Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. Splunk is actively monitoring and patching Splunk Cloud Platform
instances.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-46214");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Splunk Authenticated XSLT Upload RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(91);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:splunk:splunk");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("splunkd_detect.nasl", "splunk_web_detect.nasl", "macos_splunk_installed.nbin", "splunk_win_installed.nbin", "splunk_nix_installed.nbin");
script_require_keys("installed_sw/Splunk", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras_splunk.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var app_info = vcf::splunk::get_app_info();
var constraints = [
{ 'min_version' : '9.0.0', 'fixed_version' : '9.0.7', 'license' : 'Enterprise' },
{ 'min_version' : '9.1.0', 'fixed_version' : '9.1.2', 'license' : 'Enterprise' }
];
vcf::splunk::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Related
prion
prion
Remote code execution
2023-11-16 21:15:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up: Dec. 15, 2023
2023-12-15 21:04:18
Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023
2023-12-29 19:38:15
metasploit
metasploit
Splunk Authenticated XSLT Upload RCE
2023-11-28 14:40:05
zdt
zdt
Splunk XSLT Upload Remote Code Execution Exploit
2023-12-12 00:00:00
cve
cve
CVE-2023-46214
2023-11-16 21:15:08
cvelist
cvelist
packetstorm
packetstorm
Splunk XSLT Upload Remote Code Execution
2023-12-12 00:00:00