HTTP Response Splitting via the ‘rest’ SPL Command
Advisory ID: SVD-2023-0603
CVE ID: CVE-2023-32708
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-113
Bug ID: SPL-235203
DescriptionPermalink
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.
SolutionPermalink
For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
Product StatusPermalink
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and lower | 9.0.2303.100 |
Mitigations and WorkaroundsPermalink
For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the ‘max_searches_per_process’ setting a value of either 1 or 0.
For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.
DetectionsPermalink
This detection search provides information about a possible HTTP response splitting exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
SeverityPermalink
Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
AcknowledgmentsPermalink
Danylo Dmytriiev (DDV_UA)