HTTP Response Splitting via the ‘rest’ SPL Command
Advisory ID: SVD-2023-0603
CVE ID: CVE-2023-32708
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-113
Bug ID: SPL-235203
Description
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.
Solution
For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and lower | 9.0.2303.100 |
Mitigations and Workarounds
For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the ‘max_searches_per_process’ setting a value of either 1 or 0.
For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.
Detections
This detection search provides information about a possible HTTP response splitting exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Danylo Dmytriiev (DDV_UA)