It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot

It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot

In this bonus Threat SnapShot, we wanted to highlight a few of the most relevant and impactful vulnerabilities from December and January.

First, we'll cover a privilege escalation vulnerability in Microsoft SharePoint (CVE-2023-29357), with a CVSS score of 9.8 and rated critical. A remote, unauthenticated attacker can send a spoofed JSON Web Token (JWT) authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to Microsoft's advisory, no user interaction is required in order for an attacker to exploit this flaw. While the currently released PoC does not achieve RCE out of the box, it's likely that threat actors will be able to modify the exploit and weaponize it for malicious use.

Next, we'll dive into a Remote Code Execution (RCE) vulnerability through insecure XML parsing affecting Splunk Enterprise (CVE-2023-46214). The vulnerability stems from insufficient sanitization for user-supplied extensible stylesheet language transformations (XSLT). Splunk is widely used in many organizations; this vulnerability could be exploited by insider threats or adversaries lurking in an organization, or more broadly the thousands of publicly exposed Splunk instances.

Finally, we'll look at a template injection flaw affecting Atlassian Confluence (CVE-2023-22527). This critical vulnerability was given the maximum CVSS score of 10, because of the ability for attackers to achieve remote code execution in a low-complexity attack and without authentication. This harkens back to similar CVEs, like CVE-2022-26134 and CVE-2021-26084, that allow an attacker to inject OGNL to gain code execution.

As always, we'll also discuss detection and threat hunting strategies to keep your organization safe.

References:

SnapAttack Resource: