CVE-2023-40597 — Absolute Path Traversal in Cloud

CWE-36 — Absolute Path Traversal CWE-22 — Path Traversal3 documents3 sources

Severity

8.8HIGHNVD

CNA7.8

EPSS

0.1%

top 83.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Splunk Cloud Splunk Enterprise Splunk +1 more

Timeline

PublishedAug 30

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages4 packages

▶CVEListV5splunk/splunk_enterprise8.2 — 8.2.12+2

▶NVDsplunk/splunk8.2.0 — 8.2.12+2

▶CVEListV5splunk/splunk_cloud- — 9.0.2305.200

▶NVDsplunk/splunk_cloud_platform9.0.2305.100

🔴Vulnerability Details

GHSA

GHSA-prvp-v5vw-h6ph: In Splunk Enterprise versions lower than 8↗2023-08-30

▶

CVEList

Absolute Path Traversal in Splunk Enterprise Using runshellscript.py↗2023-08-30

▶