Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results
Advisory ID: SVD-2023-0612
CVE ID: CVE-2023-32717
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-285
Bug ID: SPL-237454
Description
An unauthorized user can access the ‘/services/indexing/preview’ REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities assigned to it.
Solution
For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, or 8.1.14 and higher.
For Splunk Cloud Platform, Splunk is monitoring and patching affected instances.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds
Remove the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities from roles that low-privilege user accounts hold. Ensure that all REST endpoints have the proper access control lists (ACLs) applied to them.
Detections
This detection search provides information on possible role-based access control bypass exploits in versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated this vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
Acknowledgments
Scott Calvert, Splunk