PoC Exploit Released For Splunk Enterprise Local File Inclusion Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A proof-of-concept (PoC) exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, identified as CVE-2024-36991.
This vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, specifically on Windows systems.
The vulnerability arises from a flaw in the Python os.path.join function improperly handles path tokens by removing the drive letter if it matches the drive in the built path.
This flaw allows an attacker to perform a path traversal attack on the endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise running on Windows with Splunk Web-enabled.
Exploit Information
The PoC exploit for CVE-2024-36991, developed by security researcher Danylo Dmytriiev, demonstrates how an attacker can leverage this vulnerability to read the passwd file on a Splunk Enterprise server.
The exploit script requires Python 3.6 or higher, and the requests library. It can target a single URL or scan multiple targets listed in a file.
Usage Instructions:
python CVE-2024-36991.py -u https://target:9090
python CVE-2024-36991.py -f targets.txt
Mitigation and Recommendations
To protect against this vulnerability, it is recommended to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. As an additional precaution, administrators can disable Splunk Web if it is not required. Instructions for disabling Splunk Web can be found in the web.conf configuration specification file.
The vulnerability has been rated with high severity, carrying a CVSSv3 score of 7.5. It poses a significant risk, allowing remote, unauthenticated attackers to read sensitive information from arbitrary files on the affected systems.
Given the potential for information disclosure, administrators must apply the recommended updates and mitigations promptly.
Organizations using Splunk Enterprise on Windows should prioritize upgrading to the latest versions and consider disabling unnecessary components to mitigate the risk of exploitation.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
PoC Exploit Released For Splunk Enterprise Local File Inclusion Vulnerability
Author: Guru BaranA proof-of-concept (PoC) exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, identified as CVE-2024-36991.
This vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, specifically on Windows systems.
The vulnerability arises from a flaw in the Python os.path.join function improperly handles path tokens by removing the drive letter if it matches the drive in the built path.
This flaw allows an attacker to perform a path traversal attack on the endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise running on Windows with Splunk Web-enabled.
Exploit Information
The PoC exploit for CVE-2024-36991, developed by security researcher Danylo Dmytriiev, demonstrates how an attacker can leverage this vulnerability to read the passwd file on a Splunk Enterprise server.
The exploit script requires Python 3.6 or higher, and the requests library. It can target a single URL or scan multiple targets listed in a file.
Usage Instructions:
- Single Target:
python CVE-2024-36991.py -u https://target:9090
- Bulk Scan:
python CVE-2024-36991.py -f targets.txt
Mitigation and Recommendations
To protect against this vulnerability, it is recommended to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. As an additional precaution, administrators can disable Splunk Web if it is not required. Instructions for disabling Splunk Web can be found in the web.conf configuration specification file.
The vulnerability has been rated with high severity, carrying a CVSSv3 score of 7.5. It poses a significant risk, allowing remote, unauthenticated attackers to read sensitive information from arbitrary files on the affected systems.
Given the potential for information disclosure, administrators must apply the recommended updates and mitigations promptly.
Organizations using Splunk Enterprise on Windows should prioritize upgrading to the latest versions and consider disabling unnecessary components to mitigate the risk of exploitation.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
