Multiple vulnerabilities in Splunk Enterprise and Light
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2018-7429 CVE-2018-7432 CVE-2018-7431 CVE-2018-7427 |
| CWE-ID | CWE-20 CWE-22 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Splunk Enterprise Server applications / IDS/IPS systems, Firewalls and proxy servers Splunk Light Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | Splunk Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU15454
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-7429
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to an error when processing HTTP requests by the Splunkd daemon. A remote attacker can send an HTTP request that submits malicious input and cause the service to crash.
MitigationUpdate Splunk Enterprise to 6.2.14, 6.3.11, 6.4.8.
Update Splunk Light to version 6.5.0.
Splunk Enterprise: 6.2.0 - 6.4.7
Splunk Light: 6.2.2 - 6.4.4
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.4:*:*:*:*:*:*:*
https://www.splunk.com/view/SP-CAAAP5T
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU15455
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-7432
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to an error when processing HTTP requests by the Splunkd daemon. A remote attacker can send an HTTP request that submits malicious input and cause the service to crash.
MitigationUpdate Splunk Enterprise to 6.2.14, 6.3.10, 6.4.7, 6.5.3.
Update Splunk Light to version 6.6.0.
Splunk Enterprise: 6.2.0 - 6.5.2
Splunk Light: 6.2.2 - 6.5.3
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.4:*:*:*:*:*:*:*
https://www.splunk.com/view/SP-CAAAP5T
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU15456
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-7431
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a path traversal attack on the target system.
The vulnerability exists in the Django App component due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted request that submits malicious directory traversal characters and download arbitrary files from the Django App component of the affected application, which could be used to conduct further attacks.
MitigationUpdate Splunk Enterprise to 6.0.14, 6.1.13, 6.2.14, 6.3.10, 6.4.6, 6.5.3.
Update Splunk Light to version 6.6.0.
Splunk Enterprise: 6.0.0 - 6.5.2
Splunk Light: 6.2.2 - 6.5.3
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.4:*:*:*:*:*:*:*
https://www.splunk.com/view/SP-CAAAP5T
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU15457
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-7427
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in Splunk Web due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate Splunk Enterprise to 6.0.14, 6.1.13, 6.2.14, 6.3.10, 6.4.7, 6.5.3.
Update Splunk Light to version 6.6.0.
Splunk Enterprise: 6.0.0 - 6.5.2
Splunk Light: 6.2.2 - 6.5.3
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:6.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_light:6.2.4:*:*:*:*:*:*:*
https://www.splunk.com/view/SP-CAAAP5T
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
