Splunk Remote Code Execution Vulnerability Due to Improper Temporary File Handling
Vulnerability
A remote code execution vulnerability has been identified in Splunk Enterprise versions prior to 10.2.1, 10.0.5, 9.4.10, and 9.3.11, as well as in Splunk Cloud Platform versions prior to 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. The vulnerability allows low-privileged users, who do not have 'admin' or 'power' roles, to execute remote code by uploading a malicious file to the 'apptemp' directory. This issue arises from improper management and inadequate isolation of temporary files within that directory.
Impact
Exploitation of this vulnerability allows for remote code execution on the affected system.
Remediation
Users of Splunk Enterprise should upgrade to versions 10.2.1, 10.0.5, 9.4.10, or 9.3.11. For Splunk Cloud Platform users, Splunk is actively monitoring and patching instances. Additionally, turning off Splunk Web can mitigate the vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.