CVE-2023-3997 - OpenCVE

Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Splunk	Soar

Configuration 1 [-]

OR	cpe:2.3:a:splunk:soar:::::on-premises:::*
	cpe:2.3:a:splunk:soar:::::cloud:::*

References

Link	Resource
https://advisory.splunk.com/advisories/SVD-2023-0702	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Splunk

Published: 2023-07-31T16:16:19.911Z

Updated: 2024-07-01T16:57:46.531Z

Reserved: 2023-07-28T17:28:28.614Z

Link: CVE-2023-3997

JSON object: View

NVD Information

Status : Modified

Published: 2023-07-31T17:15:10.110

Modified: 2024-04-10T01:15:15.117

Link: CVE-2023-3997

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3997", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "state": "PUBLISHED", "assignerShortName": "Splunk", "dateReserved": "2023-07-28T17:28:28.614Z", "datePublished": "2023-07-31T16:16:19.911Z", "dateUpdated": "2024-07-01T16:57:46.531Z"}, "containers": {"cna": {"affected": [{"product": "Splunk SOAR (On-premises)", "vendor": "Splunk", "versions": [{"version": "-", "status": "affected", "versionType": "custom", "lessThan": "6.1.0"}]}, {"product": "Splunk SOAR (Cloud)", "vendor": "Splunk", "versions": [{"version": "-", "status": "affected", "versionType": "custom", "lessThan": "6.1.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action."}], "value": "Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2023-0702"}], "title": "Unauthenticated Log Injection In Splunk SOAR", "datePublic": "2023-07-31T00:00:00.000000", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cvw", "description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.", "cweId": "CWE-117"}]}], "source": {"advisory": "SVD-2023-0702"}, "credits": [{"lang": "en", "value": "ST\u00d6K / Fredrik Alexandersson"}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2024-07-01T16:57:46.531Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:soar:*:*:*:*:on-premises:*:*:*", "matchCriteriaId": "B6409239-52FB-4299-8AA1-869223F44504", "versionEndExcluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:soar:*:*:*:*:cloud:*:*:*", "matchCriteriaId": "E71AB766-6388-44FB-8F0B-6ED443A20895", "versionEndExcluding": "6.1.0.131", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action."}], "id": "CVE-2023-3997", "lastModified": "2024-04-10T01:15:15.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "prodsec@splunk.com", "type": "Secondary"}]}, "published": "2023-07-31T17:15:10.110", "references": [{"source": "prodsec@splunk.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2023-0702"}], "sourceIdentifier": "prodsec@splunk.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-117"}], "source": "prodsec@splunk.com", "type": "Secondary"}]}