HTTP Response Splitting via the ‘rest’ SPL Command
Advisory ID: SVD-2023-0603
CVE ID: CVE-2023-32708
Last Update: 2023-06-01
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Bug ID: SPL-235203
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.
For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
|Splunk Cloud Platform||Splunk Web||9.0.2303 and lower||9.0.2303.100|
Mitigations and Workarounds
For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the ‘max_searches_per_process’ setting a value of either 1 or 0.
For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.
This detection search provides information about a possible HTTP response splitting exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Danylo Dmytriiev (DDV_UA)