CVE-2023-46214 — AI Deep Analysis Summary

🚨 **Essence**: Splunk fails to sanitize user-supplied XSLT. <br>💥 **Consequences**: Attackers upload malicious XSLT to achieve **Remote Code Execution (RCE)** on the Splunk Enterprise instance.…

🛡️ **Root Cause**: **CWE-91** (XML External Entity / XSLT Injection). <br>🔍 **Flaw**: Insecure handling/cleaning of user-provided **XSLT** (Extensible Stylesheet Language Transformations).

📦 **Affected Products**: **Splunk Enterprise**. <br>📅 **Versions**: <br>• 9.0.0 – 9.0.6 <br>• 9.1.0 – 9.1.1

👑 **Privileges**: **Remote Code Execution (RCE)**. <br>📂 **Data**: Full control over the Splunk instance. High impact on Confidentiality, Integrity, and Availability (CVSS H/H/H).

⚖️ **Threshold**: **High** (AC:H). <br>🔐 **Auth**: Requires **Low Privileges** (PR:L). <br>🖱️ **Interaction**: Requires **User Interaction** (UI:R). Not fully automated remote exploit.

🚫 **Public Exploit**: **No**. <br>📝 **PoCs**: Empty in data. <br>🌍 **Wild Exploitation**: None reported in provided references.

🔍 **Self-Check**: <br>1. Verify Splunk version (9.0.x/9.1.x). <br>2. Check for XSLT upload features in your instance. <br>3. Monitor for unusual XSLT file uploads via audit logs.

🩹 **Fix**: **Yes**. <br>📢 **Official Advisory**: SVD-2023-1104. <br>🔗 **Reference**: Splunk Research & Advisory links provided. Update to patched version immediately.

🛑 **Workaround**: <br>• **Restrict XSLT Uploads**: Disable or limit XSLT transformation capabilities. <br>• **Input Validation**: Implement strict allow-lists for uploaded files.…

🔥 **Urgency**: **High**. <br>⚠️ **Priority**: **P1**. <br>💡 **Reason**: CVSS Vector indicates **High** severity (C:H, I:H, A:H). Even with high exploitation difficulty, the impact is catastrophic. Patch ASAP.