Privilege escalation for users who hold the “splunk_app_soar“ role in the Splunk App for SOAR
Advisory ID: SVD-2025-0101
CVE ID: CVE-2025-22621
Published: 2025-01-07
Last Update: 2025-01-07
CVSSv3.1 Score: 6.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-269
Bug ID: VULN-17594
Description
In versions 1.0.67 and lower of the Splunk App for SOAR, the Splunk documentation for that app recommended adding the admin_all_objects capability to the splunk_app_soar role. This addition could lead to improper access control for a low-privileged user that does not hold the “admin“ Splunk roles.
Solution
Upgrade Splunk App for SOAR to version 1.0.71 or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk App for SOAR | 1.0 | Below 1.0.71 | 1.0.71 |
Mitigations and Workarounds
If you can not upgrade to 1.0.71, or higher., you could remove the admin_all_objects capability from a low-privileged user who holds the splunk_app_soar role.
For more information, see Assign roles for Splunk App for SOAR and Define roles on the Splunk platform with capabilities
Detections
None
Severity
Splunk rates this vulnerability a 6.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N.
Acknowledgments
Gabriel Nitu, Splunk