Information Disclosure via the ‘copyresults’ SPL Command
Advisory ID: SVD-2023-0609
CVE ID: CVE-2023-32710
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-200
Bug ID: SPL-234996
Description
A low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and lower | 9.0.2303.100 |
Mitigations and Workarounds
N/A
Detections
None
Severity
Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N.
Acknowledgments
Anton (therceman)