Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6852
Cross-site Scripting (XSS) on Show Syntax Highlighted View in Search Page
20 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Publisher: Splunk
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-46213
Original Bulletin:
https://advisory.splunk.com//advisories/SVD-2023-1103
Comment: CVSS (Max): 4.8 CVE-2023-46213 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: Splunk Inc.
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cross-site Scripting (XSS) on Show Syntax Highlighted View in Search Page
Advisory ID: SVD-2023-1103
CVE ID: CVE-2023-46213
Published: 2023-11-16
Last Update: 2023-11-16
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Bug ID: VULN-5768
Description
In Splunk Enterprise versions below 9.0.7 and 9.1.2, the "Show syntax
highlighted" feature of the Search page does not effectively escape log file
characters.
This vulnerability lets an attacker craft a log file which can execute
unauthorized Javascript code in the browser of a user that interacts with
events in the malicious log file in a specific way.
Solution
Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product Version Component Affected Version Fix Version
Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.6 9.0.7
Splunk Enterprise 9.1 Splunk Web 9.1.0 to 9.1.1 9.1.2
Splunk Cloud - Splunk Web Versions below 9.1.2308 9.1.2308
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment,
disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise
components and the web.conf configuration specification file in the Splunk
documentation for more information on disabling Splunk Web.
Do not use the "Show syntax highlighted" feature in the Search page on imported
log files whose origins you are not familiar with.
Detections
None
Severity
Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If the Splunk Enterprise instance does not run Splunk Web, it is not affected
and this vulnerability can be considered Informational.
Acknowledgments
Joshua Neubecker
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVqyzckNZI30y1K9AQg8bw/9HO4KUySyceAGq0U2/SvWz7fhBopGuqhQ
Mc+CtC/vwnjimJj61sQOLUKnX1skv9+OiWiffjZbBcBUqrO/zwA1Ues7uhQ6Df0j
TVe17VbXQqWXY8wKc+2RMj1SKLpAngxdo45+whVVq2JROG3EzfXJwyMMQJ7iPrQT
R5SiUKbrM/TradDsHtxvXksdDUHOKRbNbkgyhJPIkdz4/tnoUfuqb3GnohFJklnT
/1uArEoynevodLNEsZ7x9D8rFECstELZGIf9qw56xvpxWuZ74ydGLigZN4o1A13A
Y16naqdYOqalGGUDtA0HILUi/fNJHbwec9niSSYsJOTRYxiUZVC+szuNRzs9e6KY
V70QZy2/r8DiBpsXfJIbNMkbeLwZ6WQ3MA0cmT39sT4gH5TX5P8GL0dFrAZAi9Vd
4+p92Muug8KasMHMO80tpqUh/Bm0zYoiwzJifJinYNX+yizMO5j3QAitbN9yk6w7
DGFgeO9GkZ7nKfltt7faRLxk++9JSGXAKohIWE5hwOUarZGt3gRFqNkF04iUjs0j
ggKpWC/NXeswCRSpfm4fKtJtsiuDyek8MCJaxfkdki0+pAzU8JtsITY/q1TF5QlJ
wIRTM+fErY4mnHHYbxSl5Bu6QSoXKLnFQHRXomEpFHHgvy38suLChrmZ5Q3Rs7Kt
ene1oNt0jEc=
=BatA
-----END PGP SIGNATURE-----