CVE-2024-36991 PoC — Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows

Source

Associated Vulnerability

Description

Proof of Concept for CVE-2024-36991. Path traversal for Splunk versions below 9.2.2, 9.1.5, and 9.0.10 for Windows which allows arbitrary file read.

Readme

# CVE-2024-36991 - Splunk Path Traversal

Proof of Concept for [CVE-2024-36991](https://nvd.nist.gov/vuln/detail/cve-2024-36991) which allows an attacker to read arbitrary files in `Splunk` for versions below to `9.2.2`, `9.1.5`, and `9.0.10` for `Windows`.

## Usage

### Read Splunk configuration files

To read `Splunk` files just run the script passing the target URL running `Splunk` and the configuration file you want to read. For example:
```shell-session
python3 CVE-2024-36991.py -u 'https://example.com:8000' -f '/etc/auth/splunk.secret'
```

### Read Windows system files

To read `Windows` system files just add the flag `--system-files`. For example:
```shell-session
python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/Windows/System32/drivers/etc/hosts' --system-files
```

---

Always use this tool for good purposes. Be ethical (:

File Snapshot

 [4.0K]  /data/pocs/41d29a1e507c03a3e80324d96042c50304076a3f
├── [5.3K]  CVE-2024-36991.py
└── [ 853]  README.md

0 directories, 2 files

Remarks