Splunk Enterprise is a log management solution that ingests a variety of data generated by an organization’s business infrastructure and applications and used to generate helpful insights for improving the organization’s security and compliance, application delivery, IT operations.
The vulnerability tracked as CVE-2023-46214 resides while Splunk Enterprise’s failure to safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This enables attackers to upload malicious XSLT, which can result in remote code execution on the Splunk Enterprise instance.
As per the advisory, CVE-2023-46214 affects Splunk Enterprise versions 9.0.0 to 9.0.6 and 9.1.0 to 9.1.1. IT security expert and SANS ISC handler Bojan Zdrnja says that it also impacts Splunk v8.x, which is not supported anymore.
A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt. The attack can be performed by remotely, but requires prior authentication and some user interaction.
Admins are advised to upgrade their instances to versions 9.0.7 and 9.1.2 or, if they cannot upgrade, to limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input (by modifying the web.conf configuration file).
The POC is detailed out in this link
