Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion

Advisory ID: SVD-2024-0105

CVE ID: CVE-2024-23675

Published: 2024-01-22

Last Update: 2024-01-30

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-284

Bug ID: SPL-246067

Description

In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.

Solution

Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk REST API9.0.0 to 9.0.79.0.8
Splunk Enterprise9.1Splunk REST API9.1.0 to 9.1.29.1.3
Splunk Cloud-Splunk REST APIVersions below 9.1.2312.1009.1.2312.100

Mitigations and Workarounds

Remove the list_all_objects capability from users that do not require it. See Define roles on the Splunk platform with capabilities for more information. If you are not using KV Store, you can disable it. See Disable the KV store for more information. Note: removing the list_all_objects capability may significantly impair user functionality.

Detections

Severity

Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N.

Acknowledgments

Julian Kaufmann

Changelog

  • 2024-01-26: Added warning to removing list_all_objects.