Unauthenticated Log Injection in Splunk Enterprise
CVE-2023-32712

8.6HIGH

Key Information:

Vendor: Splunk
Status: Splunk Enterprise; Universal Forwarder
Vendor: CVE Published:; 1 June 2023

What is CVE-2023-32712?

In certain versions of Splunk Enterprise and Universal Forwarder, an attacker can exploit a vulnerability that allows for injection of ANSI escape codes into log files. If these logs are read by a vulnerable terminal application, it may lead to potential code execution. This exploitation requires user interaction to read the manipulated log file locally and may vary based on the permissions set in the terminal application. While more recent version configurations mitigate this risk, it’s crucial for users to assess their system settings and log handling practices to prevent possible unauthorized access.

Affected Version(s)

Splunk Enterprise 8.2 < 8.2.11.2

Splunk Enterprise 9.0 < 9.0.5.1

Splunk Enterprise 9.1 < 9.1.0.2

References

https://advisory.splunk.com/advisories/SVD-2023-0606

https://research.splunk.com/application/de3908dc-1298-446...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2023
Vulnerability Reserved
May 11, 2023

Credit

STÖK / Fredrik Alexandersson