Splunk has fixed a vulnerability during the start of this month that affects Splunk Enterprise on Windows, a path traversal vulnerability
The vulnerability tracked as CVE-2024-36991 is a path traversal vulnerability in Splunk Web and allows attackers to traverse the file system to access files or directories outside the restricted directory (/modules/messaging/).
The vulnerability exists because of the Python os.path.join function that removes the drive letter from path tokens if the drive in the token matches the drive in the built path.
The vulnerability can be exploited with a specially crafted GET request and allows an attacker to perform a directory listing on the Splunk endpoint. Successful exploitation does not require prior authentication.
The vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, but only on Windows, and only if the Splunk Web component is turned on.
Disabling Splunk Web also removes the risk of exploitation, though upgrading to a fixed version is preferred
Link to the PoC Exploit code
Nice information