Low-privileged User can View Hashed Default Splunk Password
Advisory ID: SVD-2023-0604
CVE ID: CVE-2023-32709
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-285
Bug ID: SPL-235016
Description
A low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds
N/A
Detections
This detection search provides information about a possible privilege escalation exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
If the initial admin password has been changed, then there is no impact and the severity is Informational.
Acknowledgments
Anton (therceman)