Information Disclosure via the ‘copyresults’ SPL Command
Advisory ID: SVD-2023-0609
CVE ID: CVE-2023-32710
Last Update: 2023-06-01
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Bug ID: SPL-234996
A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
|Splunk Cloud Platform||Splunk Web||9.0.2303 and lower||9.0.2303.100|
Mitigations and Workarounds
Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N.