Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results
Advisory ID: SVD-2023-0612
CVE ID: CVE-2023-32717
Last Update: 2023-06-01
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Bug ID: SPL-237454
An unauthorized user can access the ‘/services/indexing/preview’ REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities assigned to it.
For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
|Splunk Cloud Platform||Splunk Web||9.0.2303 and below||9.0.2303.100|
Mitigations and Workarounds
Remove the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them.
This detection search provides information on possible role-based access control bypass exploits in versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14.
Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
Scott Calvert, Splunk