Splunk Inc. AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Splunk Inc. AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

S-Unclear if Scope change occurs

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.

In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes, to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.  The vulnerability does not affect Splunk Cloud Platform instances. The vulnerability does not directly affect Splunk Enterprise. The indirect impact on the Splunk Enterprise instance can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.

https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b [No Types Assigned]