Path Traversal On The “/Modules/Messaging/“ Endpoint In Splunk Enterprise On Windows
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows.
The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.
This vulnerability should only affect Splunk Enterprise on Windows.
GET /en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Windows/win.ini
GET /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
affected from 9.2 before 9.2.2
affected from 9.1 before 9.1.5
affected from 9.0 before 9.0.10
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Danylo Dmytriiev (DDV_UA)