RCE CVE-2023-46214


Hello community,

Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution?

Can an arbitrary code be pushed remotely via any means?

Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance.

Thank you.

Labels (6)
0 Karma


That vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, which means it requires network access and credentials to exploit.  If your Splunk is not accessible by outsiders then your vulnerability is lower.  See for everything public about the vulnerability.

If this reply helps you, Karma would be appreciated.
0 Karma


Hi, thanks for the reply @richgalloway 

All you said make sense. 

However, there are few scenarios where this statements might be out of order. Let me justify what I think.

Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable.

Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication.

Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc.

I am sure the following will change our perspective of what this may cause if ignored as low severity:

Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days.


0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...