CVE-2023-3997 : Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vul

Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

Published 2023-07-31 17:15:10

Updated 2024-12-10 18:15:26

Source Splunk Inc.

View at NVD, CVE.org

Products affected by CVE-2023-3997

Splunk » Soar » On-premises Edition
Versions before (<) 6.1.0
cpe:2.3:a:splunk:soar:*:*:*:*:on-premises:*:*:*
Matching versions
Splunk » Soar » Cloud Edition
Versions before (<) 6.1.0.131
cpe:2.3:a:splunk:soar:*:*:*:*:cloud:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-3997

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-3997

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	1.8	6.0	Splunk Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-3997

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Assigned by: nvd@nist.gov (Primary)
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

Assigned by: prodsec@splunk.com (Secondary)

References for CVE-2023-3997

https://advisory.splunk.com/advisories/SVD-2023-0702

SVD-2023-0702 | Splunk Vulnerability Disclosure
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-3997

Products affected by CVE-2023-3997

Exploit prediction scoring system (EPSS) score for CVE-2023-3997

CVSS scores for CVE-2023-3997

CWE ids for CVE-2023-3997

References for CVE-2023-3997