Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion
Advisory ID: SVD-2024-0105
CVE ID: CVE-2024-23675
Published: 2024-01-22
Last Update: 2024-01-30
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-284
Bug ID: SPL-246067
Description
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.
Solution
Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | Splunk REST API | 9.0.0 to 9.0.7 | 9.0.8 |
| Splunk Enterprise | 9.1 | Splunk REST API | 9.1.0 to 9.1.2 | 9.1.3 |
| Splunk Cloud | - | Splunk REST API | Versions below 9.1.2312.100 | 9.1.2312.100 |
Mitigations and Workarounds
Remove the list_all_objects capability from users that do not require it. See Define roles on the Splunk platform with capabilities for more information. If you are not using KV Store, you can disable it. See Disable the KV store for more information. Note: removing the list_all_objects capability may significantly impair user functionality.
Detections
Severity
Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N.
Acknowledgments
Julian Kaufmann
Changelog
- 2024-01-26: Added warning to removing list_all_objects.