Splunk AoB <4.1.2 REST API Mod Input HTTP Downgrade after HTTPS Fail
CVE-2023-22943 Published on February 14, 2023
Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK
In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs.
Weakness Type
What is a Failing Open Vulnerability?
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."
CVE-2023-22943 has been classified to as a Failing Open vulnerability or weakness.
Products Associated with CVE-2023-22943
stack.watch emails you whenever new vulnerabilities are published in Splunk Cloudconnect Software Development Kit or Splunk Add On Builder. Just hit a watch button to start following.
Affected Versions
Splunk Add-on Builder:- Version 4.1 and below 4.1.2 is affected.
- Version 3.1 and below 3.1.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.