‘edit_user’ Capability Privilege Escalation

Advisory ID: SVD-2023-0602

CVE ID: CVE-2023-32707

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 8.8, High

CWE: CWE-285

Bug ID: SPL-232088

Description

A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.

Solution

For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.0 to 8.1.138.1.14
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.108.2.11
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.49.0.5
Splunk Cloud PlatformSplunk Web9.0.2303 and below9.0.2303.100

Mitigations and Workarounds

Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges.

Detections

This detection search provides information on possible privilege escalation exploitation attempts in versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14.

Severity

Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Acknowledgments

Mr Hack (try_to_hack) Santiago Lopez