Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.12 / 6.3.8 / 6.4.4 or Splunk Light < 6.5.0 Multiple Vulnerabilities

critical Nessus Plugin ID 94932
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


An application running on the remote web server is affected by multiple vulnerabilities.


According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.12, 6.3.x prior to 6.3.8, or 6.4.x prior to 6.4.4; or else it is Splunk Light prior to 6.5.0. It is, therefore, affected by multiple vulnerabilities :

- A heap buffer overflow condition exists in Python, specifically in the get_data() function within file Modules/zipimport.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via negative data size values, to cause a denial of service condition or the possible execution of arbitrary code. (CVE-2016-5636)

- A CRLF injection vulnerability exists in Python, specifically in the HTTPConnection.putheader() function within file Modules/zipimport.c. An unauthenticated, remote attacker can exploit this to inject arbitrary HTTP headers via CRLF sequences in a URL, allowing cross-site scripting (XSS) and other attacks.

- A flaw exists in Python within the smtplib library due to a failure to properly raise exceptions when smtp servers are able to negotiate starttls but fail to respond properly. A man-in-the-middle attacker can exploit this issue to bypass TLS protections via a 'StartTLS stripping attack.' (CVE-2016-0772)

- An HTTP request injection vulnerability exists in Splunk that permits leakage of authentication tokens. An unauthenticated, remote attacker can exploit this to access the Splunk REST API with the same rights as the user.

Note that the Python vulnerabilities stated above do not affect the Splunk Enterprise 6.4.x versions, and the HTTP request injection vulnerability does not affect the Splunk Light versions.


Upgrade Splunk Enterprise to version 5.0.17 / 6.0.13 / 6.1.12 / 6.2.12 / 6.3.8 / 6.4.4 or later, or Splunk Light to version 6.5.0 or later.

See Also


Plugin Details

Severity: Critical

ID: 94932

File Name: splunk_650.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 11/17/2016

Updated: 11/14/2019

Dependencies: splunkd_detect.nasl, splunk_web_detect.nasl

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Required KB Items: installed_sw/Splunk

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 11/10/2016

Vulnerability Publication Date: 11/24/2014

Reference Information

CVE: CVE-2016-0772, CVE-2016-5636, CVE-2016-5699

BID: 91225, 91226, 91247