CVE-2023-22934 - Vulnerability Details - OpenCVE

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Splunk	Splunk Splunk Cloud Platform

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

References

Link	Providers
https://advisory.splunk.com/advisories/SVD-2023-0204
https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd

History

Tue, 15 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:splunk:splunk:::::::: cpe:2.3:a:splunk:splunk_cloud_platform:-:::::::*
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Splunk

Published: 2023-02-14T17:22:35.427Z

Updated: 2025-02-28T11:03:58.707Z

Reserved: 2023-01-10T21:39:55.583Z

Link: CVE-2023-22934

Vulnrichment

Updated: 2024-08-02T10:20:31.425Z

NVD

Status : Modified

Published: 2023-02-14T18:15:12.297

Modified: 2024-11-21T07:45:40.297

Link: CVE-2023-22934

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22934", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "state": "PUBLISHED", "assignerShortName": "Splunk", "dateReserved": "2023-01-10T21:39:55.583Z", "datePublished": "2023-02-14T17:22:35.427Z", "dateUpdated": "2025-02-28T11:03:58.707Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "8.1", "status": "affected", "versionType": "custom", "lessThan": "8.1.13"}, {"version": "8.2", "status": "affected", "versionType": "custom", "lessThan": "8.2.10"}, {"version": "9.0", "status": "affected", "versionType": "custom", "lessThan": "9.0.4"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "-", "status": "affected", "versionType": "custom", "lessThan": "9.0.2209.3"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the \u2018pivot\u2019 search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser."}], "value": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the \u2018pivot\u2019 search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2023-0204"}, {"url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd"}], "title": "SPL Command Safeguards Bypass via the \u2018pivot\u2019 SPL Command in Splunk Enterprise", "datePublic": "2023-02-14T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.", "cweId": "CWE-20"}]}], "source": {"advisory": "SVD-2023-0204"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2025-02-28T11:03:58.707Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "affected": [{"vendor": "splunk", "product": "splunk", "cpes": ["cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.1", "status": "affected", "lessThan": "8.1.13", "versionType": "semver"}, {"version": "8.2", "status": "affected", "lessThan": "8.2.10", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.0.4", "versionType": "semver"}]}, {"vendor": "splunk", "product": "splunk_cloud_platform", "cpes": ["cpe:2.3:a:splunk:splunk_cloud_platform:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "-", "status": "affected", "lessThan": "9.0.2209.3", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-13T20:46:42.856991Z", "id": "CVE-2023-22934", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T18:36:23.394Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.425Z"}, "title": "CVE Program Container", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2023-0204", "tags": ["x_transferred"]}, {"url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2023-0204", "tags": ["x_transferred"]}, {"url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.425Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-22934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-13T20:46:42.856991Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*"], "vendor": "splunk", "product": "splunk", "versions": [{"status": "affected", "version": "8.1", "lessThan": "8.1.13", "versionType": "semver"}, {"status": "affected", "version": "8.2", "lessThan": "8.2.10", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.0.4", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:splunk:splunk_cloud_platform:-:*:*:*:*:*:*:*"], "vendor": "splunk", "product": "splunk_cloud_platform", "versions": [{"status": "affected", "version": "-", "lessThan": "9.0.2209.3", "versionType": "semver"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-20T19:21:03.648Z"}}], "cna": {"title": "SPL Command Safeguards Bypass via the \u2018pivot\u2019 SPL Command in Splunk Enterprise", "source": {"advisory": "SVD-2023-0204"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "8.1", "lessThan": "8.1.13", "versionType": "custom"}, {"status": "affected", "version": "8.2", "lessThan": "8.2.10", "versionType": "custom"}, {"status": "affected", "version": "9.0", "lessThan": "9.0.4", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "-", "lessThan": "9.0.2209.3", "versionType": "custom"}]}], "datePublic": "2023-02-14T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2023-0204"}, {"url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the \u2018pivot\u2019 search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the \u2018pivot\u2019 search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-20", "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program."}]}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2025-02-28T11:03:58.707Z"}}}, "cveMetadata": {"cveId": "CVE-2023-22934", "state": "PUBLISHED", "dateUpdated": "2025-02-28T11:03:58.707Z", "dateReserved": "2023-01-10T21:39:55.583Z", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "datePublished": "2023-02-14T17:22:35.427Z", "assignerShortName": "Splunk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "24C628AD-CF89-4FD5-B58F-38D150D2F535", "versionEndExcluding": "8.1.13", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4B2A60A4-55C6-4C11-B86D-452CC43D85FF", "versionEndExcluding": "8.2.10", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "39FFDC8F-FC45-41E7-8353-D09AAE26F50F", "versionEndExcluding": "9.0.4", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AF379C7-8910-4C30-882A-4CE9F9C9992C", "versionEndExcluding": "9.0.2209.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the \u2018pivot\u2019 search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser."}], "id": "CVE-2023-22934", "lastModified": "2024-11-21T07:45:40.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "prodsec@splunk.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-14T18:15:12.297", "references": [{"source": "prodsec@splunk.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2023-0204"}, {"source": "prodsec@splunk.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2023-0204"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://research.splunk.com/application/ee69374a-d27e-4136-adac-956a96ff60fd"}], "sourceIdentifier": "prodsec@splunk.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "prodsec@splunk.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}