Vulnerability Details : CVE-2011-4642
Public exploit exists!
mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172.
Vulnerability category: Cross-site request forgery (CSRF)Execute code
Products affected by CVE-2011-4642
- cpe:2.3:a:splunk:splunk:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk:4.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-4642
5.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2011-4642
-
Splunk Search Remote Code Execution
Disclosure Date: 2011-12-12First seen: 2020-04-26exploit/multi/http/splunk_mappy_execThis module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the 'mappy' search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin
CVSS scores for CVE-2011-4642
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:N/AC:H/Au:S/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2011-4642
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4642
-
http://www.splunk.com/view/SP-CAAAGMM
Splunk 4.2.5 addresses three vulnerabilities - December 12th, 2011 | SplunkVendor Advisory
-
http://www.exploit-db.com/exploits/18245/
Splunk - Remote Command Execution - Multiple remote ExploitExploit
-
http://www.securitytracker.com/id?1026451
Splunk Bugs Permit Remote Autheticated Code Injection and Directory Traversal and Remote Cross-Site Scripting Attacks - SecurityTracker
-
http://www.sec-1.com/blog/?p=233
Advisory: Multiple Splunk Vulnerabilities - Sec-1 LabsSec-1 LabsExploit
-
http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf
Page Not Found - Sec-1 LabsSec-1 LabsExploit
Jump to