Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results
Advisory ID: SVD-2023-0612
CVE ID: CVE-2023-32717
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-285
Bug ID: SPL-237454
Description
An unauthorized user can access the ‘/services/indexing/preview’ REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities assigned to it.
Solution
For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds
Remove the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them.
Detections
This detection search provides information on possible role-based access control bypass exploits in versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
Acknowledgments
Scott Calvert, Splunk