vulnerability
Splunk CVE-2023-40598: Command Injection in Splunk Enterprise Using External Lookups
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:H/Au:S/C:C/I:C/A:C) | Aug 30, 2023 | Apr 7, 2025 | Apr 22, 2025 |
Severity
7
CVSS
(AV:N/AC:H/Au:S/C:C/I:C/A:C)
Published
Aug 30, 2023
Added
Apr 7, 2025
Modified
Apr 22, 2025
Description
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.The vulnerability revolves around the currently-deprecatedrunshellscriptcommand that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.
Solution
splunk-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.