HTTP Response Splitting via the ‘rest’ SPL Command

Advisory ID: SVD-2023-0603

CVE ID: CVE-2023-32708

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.2, High

CWE: CWE-113

Bug ID: SPL-235203

Description

A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.

Solution

For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.

For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.0 to 8.1.138.1.14
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.108.2.11
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.49.0.5
Splunk Cloud PlatformSplunk Web9.0.2303 and lower9.0.2303.100

Mitigations and Workarounds

For Splunk Enterprise, limit the number of searches a process can run by editing the limits.conf configuration file and giving the ‘max_searches_per_process’ setting a value of either 1 or 0.

For Splunk Cloud Platform, file a support ticket to adjust this configuration setting.

Detections

This detection search provides information about a possible HTTP response splitting exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.

Severity

Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Acknowledgments

Danylo Dmytriiev (DDV_UA)