CVE-2023-46230 - Sensitive Data Leak in Splunk Add-on Builder (Fixed in 4.1.4)

In late 2023, a critical vulnerability was discovered and assigned as CVE-2023-46230 in the Splunk Add-on Builder. This vulnerability allows leakage of sensitive information, such as credentials, to internal log files. If you're using Add-on Builder below version 4.1.4, your data may be at risk.

In this long-form post, we'll break down what this vulnerability is, how it can be exploited, offer a code snippet as a PoC, and what you should do about it. All information is exclusive to this post and simplified for better understanding.

What Is The Splunk Add-on Builder?

The Splunk Add-on Builder is a tool to make Splunk add-on development easier. It provides a no-code/low-code interface to create, package, and publish add-ons. Developers, admins, and security analysts use it widely.

Root Cause

In Add-on Builder versions *below* 4.1.4, the app carelessly logs sensitive configuration fields—like usernames, secrets, and API tokens—to internal log files. Attackers (or insiders) with access to these logs can extract credentials or other confidential info.

Typical paths for these logs are

- $SPLUNK_HOME/var/log/splunk/ta_builder.log
- $SPLUNK_HOME/var/log/splunk/python.log

Severity

Although this isn’t an RCE or code injection bug, it can lead to privilege escalation or full compromise if attackers use these leaked secrets elsewhere (for example, cloud API tokens).

How Does It Work?

Let’s say you’re creating a Data Input in the Add-on Builder for some API, and specifying an api_key or password for authentication. When you run, debug, or test the add-on, the Add-on Builder logs its activity—including configuration payloads.

In vulnerable versions, it writes the full payload, including these secrets.

Example logged entry (sanitized)

2023-10-02 12:45:33,384 INFO  [ta_builder.controllers.inputs] Input configuration: {'name': 'my_data_input', 'password': 'hunter2', 'api_key': 'sk-x7pv14i2-vulnerable-secret'}

Proof-of-Concept Code Snippet

Suppose you want to *demonstrate* the leak with a simple script on your Splunk server. Here’s a Python snippet to grep sensitive fields:

import re

log_path = "/opt/splunk/var/log/splunk/ta_builder.log"
secret_fields = ["password", "api_key", "secret", "token"]

with open(log_path, "r", encoding="utf-8") as log_file:
    for line in log_file:
        for field in secret_fields:
            match = re.search(rf"'{field}':\s*'([^']+)'", line)
            if match:
                print(f"Found {field}: {match.group(1)} in log line: {line.strip()}")

What this does: It scans for likely sensitive fields in the Add-on Builder log file and prints any secrets it finds. *This is what an attacker or auditor might do during a compromise or security review.*

Exploitation Scenario

Let’s suppose your Splunk Add-on Builder is running with default permissions. A malicious admin, developer, or attacker with filesystem or Splunk app access can:

Download the internal log files

- $SPLUNK_HOME/var/log/splunk/ta_builder.log

Access API endpoints

- Laterally escalate in environments using the same passwords/secrets

CVE-2023-46230 - Mitre:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46230

Splunk Add-on Builder Advisory:

https://advisory.splunk.com/advisories/SVD-2023-1105

Fixed Release Download (4.1.4):

https://splunkbase.splunk.com/app/2962/

How Do I Fix It?

1. Upgrade ASAP:
Update your Splunk Add-on Builder to version 4.1.4 or higher. This is the only *guaranteed* fix. You can do this at your Splunkbase download page.

2. Sanitize Old Logs:
Even after upgrading, your old log files may still have sensitive data.

- Secure or delete the following (get your Splunk admin involved!)

- $SPLUNK_HOME/var/log/splunk/ta_builder.log
- $SPLUNK_HOME/var/log/splunk/python.log
- Rotate them / clear entries if needed.

3. Check for Compromise:
Run scripts (like the one above) to check if anything sensitive was exposed. If you find secrets, rotate them (change passwords, revoke tokens) everywhere they’ve been used.

Conclusion

CVE-2023-46230 is a serious but preventable vulnerability affecting Splunk Add-on Builder versions below 4.1.4. Attackers or insiders with local access can steal passwords or API keys from unprotected log files. Upgrade, sanitize, and rotate secrets as soon as possible to protect your data and integrations.

For more details and downloads, check the references above and make sure your Splunk apps are always up to date.


*Stay safe, log less, and always watch your secrets!*

Timeline

Published on: 01/30/2024 17:15:09 UTC
Last modified on: 02/05/2024 21:00:21 UTC