What is CVE-2023-46214?

CVE-2023-46214 is a high-severity vulnerability in certain versions of Splunk Enterprise and Splunk Cloud. It involves unsafe handling of user-supplied extensible stylesheet language transformations (XSLT), potentially leading to remote code execution. Updating the software is crucial to protect against potential attacks.

Who is impacted by CVE-2023-46214?

CVE-2023-46214 affects users of Splunk Enterprise versions 9.0.0 to 9.0.6 and 9.1.0 to 9.1.1, and Splunk Cloud versions below 9.1.2308.

What to do if CVE-2023-46214 affected you

If you're affected by the CVE-2023-46214 vulnerability, it's important to take action to protect your systems. Here's a simple guide on what to do:

1. Upgrade Splunk Enterprise to version 9.0.7 or 9.1.2, as recommended by Splunk Vulnerability Disclosure.

2. If you can't upgrade, limit search job requests to accept XML stylesheet language (XSL) as valid input by editing the web.conf configuration file, as suggested in the Splunk advisory.

3. Monitor for potential remote code execution attempts using the Splunk Security Content analytic.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-46214 vulnerability, also known as XML Injection or Blind XPath Injection, is not listed in CISA's Known Exploited Vulnerabilities Catalog. There is no specific date added or due date for this vulnerability. To address this issue, it is recommended to update Splunk Enterprise to a version that is not affected or implement other security measures as suggested in the provided sources.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-91, which involves XML Injection, also known as Blind XPath Injection.

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below.

• Splunk Vulnerability Disclosure

• Splunk Security Content