Splunk is one of the most used SIEM (Security Incident and Event Management) tools worldwide.
Splunk can collect logs of all the configured events that can be used later to investigate security incidents.
Based on recent reports, Splunk was vulnerable to a Privilege escalation vulnerability which was discovered and reported.
The company has immediately patched this vulnerability on all Splunk versions.
CVE-2023-32707: ‘edit_user’ Capability Privilege Escalation
Any users with low privileges and has ‘edit_user’ capability can escalate their privileges to an admin user by sending a specially crafted web request to Splunk.
This was because of the fact that ‘edit_user’ does not connect with the ‘grantableRole’ setting in the authorize.conf configuration file, which could prevent this privilege escalation vulnerability.
Affected Products and Fix:
The Table below shows the products that were affected and the fixed version.
Product | Version | Component | Affected Version | Fix Version |
Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
Splunk Enterprise | 9 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds:
- Other than admins, no other users must have the ‘edit_user’ capability.
- Do not provide an ‘edit_user’ role through which other roles will be inherited.
- Do not assign the ‘edit_user’ capability to users with low or no privileges.
All Splunk users are recommended to upgrade their Splunk versions to the latest versions.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus