DESCRIPTION:
A vulnerability(CVE-2023-32707) exists in Splunk Enterprise and Cloud Platform products. A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.
AFFECTED RELEASES:
Splunk Enterprise version 8.1.0 through 8.1.13
Splunk Enterprise version 8.2.0 through 8.2.10
Splunk Enterprise version 9.0.0 through 9.0.04
Splunk Cloud Platform 9.0.2303 and below
SOLUTION:
1. Users and system administrators of affected products are advised to apply the security updates:
(1) Please upgrade to Splunk Enterprise version 9.0.5, 8.2.11, 8.1.14, or higher
(2) Please upgrade to Splunk Cloud Platform version 9.0.2303.100 or higher
REFERENCE:
1. https://www.securityweek.com/high-severity-vulnerabilities-patched-in-splunk-enterprise/?web_view=true
2. https://nvd.nist.gov/vuln/detail/CVE-2023-32707
3. https://advisory.splunk.com/advisories/SVD-2023-0602
4. https://research.splunk.com/application/39e1c326-67d7-4c0d-8584-8056354f6593/