‘edit_user’ Capability Privilege Escalation
Advisory ID: SVD-2023-0602
CVE ID: CVE-2023-32707
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 8.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-285
Bug ID: SPL-232088
Description
A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.
Solution
For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds
Confirm that no role, other than the admin role or its equivalent, has the ‘edit_user’ capability assigned to it. Confirm that you neither assign the ‘edit_user’ capability to a role from which other roles inherit, nor that you assign a role with the capability to a user with low or no privileges.
Detections
This detection search provides information on possible privilege escalation exploitation attempts in versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Mr Hack (try_to_hack) Santiago Lopez