CVE-2023-40593: 
Splunk Enterprise vulnerability analysis and mitigation

A vulnerability identified as CVE-2023-40593 affects Splunk Enterprise versions lower than 9.0.6 and 8.2.12, as well as Splunk Cloud Platform versions up to 9.0.2305.100. The vulnerability was discovered on August 16, 2023, and allows malicious actors to perform a denial of service attack through the SAML authentication endpoint (Splunk Advisory).

The vulnerability exists in the SAML XML parser which fails to properly validate signatures when processing malformed URIs in SAML requests. When an attacker sends a malformed SAML request to the /saml/acs REST endpoint, the parser attempts to access the modified URI instead of rejecting it, resulting in a crash or hang of the Splunk daemon. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H and is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD, Splunk Advisory).

When successfully exploited, this vulnerability can cause a denial of service condition through either a crash or hang of the Splunk daemon, potentially disrupting the organization's ability to monitor and respond to security events (GBHackers).

Organizations can mitigate this vulnerability by either upgrading Splunk Enterprise to versions 8.2.12, 9.0.6, or higher (versions 9.1.0 and above are not affected), or by disabling single sign-on using SAML as an authentication scheme. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances (Splunk Advisory).