Login Sign Up

CVE-2023-46214

8.0 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution on Splunk Enterprise instances by uploading malicious XSLT files. Attackers can execute arbitrary code on the server, potentially compromising the entire Splunk deployment. Affected are Splunk Enterprise versions below 9.0.7 and 9.1.2.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Versions below 9.0.7 and below 9.1.2
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with XSLT upload functionality enabled are vulnerable.

📦 What is this software?

Cloud by Splunk

View all CVEs affecting Cloud →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Splunk instance leading to data exfiltration, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive log data, credential theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the Splunk application itself.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to upload XSLT files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.7 or 9.1.2

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2023-1104

Restart Required: Yes

Instructions:

1. Backup Splunk configuration and data. 2. Download and install Splunk Enterprise version 9.0.7 or 9.1.2 from Splunk downloads. 3. Restart Splunk services. 4. Verify version update.

🔧 Temporary Workarounds

Disable XSLT upload functionality

all

Restrict or disable the ability to upload XSLT files through Splunk configuration.

Modify inputs.conf to restrict file uploads
Configure web.conf to disable XSLT processing

Network segmentation and access controls

all

Restrict network access to Splunk management interfaces and implement strict authentication controls.

Configure firewall rules to limit Splunk web interface access
Implement multi-factor authentication

🧯 If You Can't Patch

  • Implement strict access controls and network segmentation to limit exposure
  • Monitor for suspicious XSLT file uploads and unusual process execution

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or command line. If version is below 9.0.7 or 9.1.2, system is vulnerable.

Check Version:

$SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Confirm Splunk version is 9.0.7 or higher (for 9.0.x branch) or 9.1.2 or higher (for 9.1.x branch).

📡 Detection & Monitoring

Log Indicators:

  • Unusual XSLT file uploads
  • Suspicious process execution from Splunk user context
  • Authentication anomalies

Network Indicators:

  • Unexpected outbound connections from Splunk server
  • Unusual traffic patterns to/from Splunk management interfaces

SIEM Query:

index=* sourcetype=splunkd (XSLT OR xslt) AND upload

📊 Metadata

CVE ID: CVE-2023-46214
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-91
Published: November 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46214, you might also want to check these:

CVE-2019-19450 9.8

CVE-2019-19450 is a critical remote code execution vulnerability in ReportLab's paraparser module. A...

Same vulnerability type (CWE-91)
CVE-2020-29128 9.8

CVE-2020-29128 is an XML External Entity (XXE) vulnerability in petl versions before 1.68 that allow...

Same vulnerability type (CWE-91)
CVE-2021-38948 9.1

IBM InfoSphere Information Server 11.7 has an XML External Entity Injection (XXE) vulnerability that...

Same vulnerability type (CWE-91)