Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion

Advisory ID: SVD-2024-0105

CVE ID: CVE-2024-23675

Published: 2024-01-22

Last Update: 2024-01-30

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-284

Bug ID: SPL-246067

DescriptionPermalink

In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.

SolutionPermalink

Upgrade Splunk Enterprise to 9.0.8, 9.1.3, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product StatusPermalink

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk REST API9.0.0 to 9.0.79.0.8
Splunk Enterprise9.1Splunk REST API9.1.0 to 9.1.29.1.3
Splunk Cloud-Splunk REST APIVersions below 9.1.2312.1009.1.2312.100

Mitigations and WorkaroundsPermalink

Remove the list_all_objects capability from users that do not require it. See Define roles on the Splunk platform with capabilities for more information. If you are not using KV Store, you can disable it. See Disable the KV store for more information. Note: removing the list_all_objects capability may significantly impair user functionality.

DetectionsPermalink

SeverityPermalink

Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N.

AcknowledgmentsPermalink

Julian Kaufmann

ChangelogPermalink

  • 2024-01-26: Added warning to removing list_all_objects.