April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
June 5, 2023Rewterz Threat Alert – DanaBot Trojan – Active IOCs
June 5, 2023Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
June 5, 2023Rewterz Threat Alert – DanaBot Trojan – Active IOCs
June 5, 2023
Severity
Medium
Analysis Summary
CVE-2023-32706 CVSS:7.7
Splunk Enterprise is vulnerable to an XML external entity injection (XXE) attack when processing XML data, caused by a weakly configured XML parser in the SAML authentication mechanism. By using specially crafted XML content, a remote authenticated attacker could exploit this vulnerability to cause a denial of service, or achieve other system impacts.
CVE-2023-32707 CVSS:8.8
Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-32708 CVSS:7.2
Splunk Enterprise and Splunk Cloud Platform is vulnerable to HTTP response splitting attacks, caused by the lack of filtering in the rest SPL command. A remote authenticated attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVE-2023-32709 CVSS:4.3
Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization in the conf-user-seed REST endpoint. By sending a specially crafted rest SPL command, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-32710 CVSS:4.8
Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the copyresults command. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-32711 CVSS:5.4
Splunk Enterprise is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Bootstrap web framework. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-32712 CVSS:3.4
Splunk Enterprise could allow a remote attacker over SSH to bypass security restrictions, caused by a log file poisoning vulnerability. By persuading a victim to a open a specially crafted URL, an attacker could exploit this vulnerability to poison the log files on the system.
CVE-2023-32713 CVSS:7.8
Splunk App for Stream could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the streamfwd process. By sending a specially crafted request, an attacker could exploit this vulnerability to gain root level privileges.
CVE-2023-32714 CVSS:8.1
Splunk App for Lookup File Editing could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot dot” sequences (…/…//) to read and write to restricted areas of the Splunk installation directory.
CVE-2023-32715 CVSS:4.7
Splunk App for Lookup File Editing is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-32716 CVSS:6.5
Splunk Enterprise and Splunk Cloud Platform are vulnerable to a denial of service, caused by a flaw in the dump SPL command. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-32717 CVSS:4.3
Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control in the /services/indexing/preview REST endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and overwrite search results.
Impact
- Privilege Escalation
- Denial of Service
- Security Bypass
- Information Disclosure
- Gain Access
- Cross-Site Scripting
Indicators Of Compromise
CVE
- CVE-2023-33010
- CVE-2023-33009
Affected Vendors
Splunk
Affected Products
- Splunk Splunk Enterprise 9.0.4
- Splunk Splunk Enterprise 8.2.10
- Splunk Splunk Enterprise 8.1.13
- Splunk Cloud Platform 9.0.2303
- Splunk App for Stream 8.1.0
- Splunk App for Lookup File Editing 4.0.0
Remediation
Refer to Splunk Advisory for patch, upgrade or suggested workaround information.
