CVE-2023-46214: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2023-46214 is a high-severity vulnerability affecting Splunk Enterprise versions below 9.0.7 and 9.1.2, as well as Splunk Cloud versions below 9.1.2308. The vulnerability stems from improper sanitization of extensible stylesheet language transformations (XSLT) that users supply, which could allow attackers to upload malicious XSLT resulting in remote code execution on the Splunk Enterprise instance. The vulnerability was disclosed on November 16, 2023 (Splunk Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H according to NVD, while Splunk rates it at 8.0 (High) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-91 (XML Injection). The attack can be performed remotely but requires user interaction and valid authentication credentials (NVD).

If successfully exploited, this vulnerability could lead to remote code execution on the affected Splunk Enterprise instance. This could potentially result in full system compromise, unauthorized data access, and further lateral movement within the network (Help Net Security).

Splunk has released patches in versions 9.0.7 and 9.1.2. For users who cannot upgrade immediately, a workaround is available by limiting the ability of search job requests to accept XML stylesheet language (XSL) as valid input. This can be done by modifying the web.conf configuration file to add 'enableSearchJobXslt = false' in the [settings] section (Splunk Advisory).