CVE-2023-32707

‘edit_user’ Capability Privilege Escalation

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.

En las versiones de Splunk Enterprise anteriores a 9.0.5, 8.2.11 y 8.1.14, y de Splunk Cloud Platform anteriores a la versión 9.0.2303.100, un usuario con pocos privilegios que tenga un rol que tenga asignada la capacidad de "edit_user" puede escalar sus privilegios a los del usuario administrador proporcionando solicitudes web especialmente manipuladas.

Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14 allows low-privileged users who hold a role with edit_user capability assigned to it the ability to escalate their privileges to that of the admin user by providing specially crafted web requests.

*Credits: Mr Hack (try_to_hack) Santiago Lopez

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-11 CVE Reserved
2023-06-01 CVE Published
2023-06-01 First Exploit
2024-06-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-285: Improper Authorization

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/51747	2023-10-09
https://github.com/9xN/CVE-2023-32707	2023-11-14
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb	2023-06-01

URL	Date	SRC

URL	Date	SRC
https://advisory.splunk.com/advisories/SVD-2023-0602	2024-04-10
https://research.splunk.com/application/39e1c326-67d7-4c0d-8584-8056354f6593	2024-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Splunk Search vendor "Splunk"		Splunk Search vendor "Splunk" for product "Splunk"				>= 8.1.0 < 8.1.14 Search vendor "Splunk" for product "Splunk" and version " >= 8.1.0 < 8.1.14"		enterprise		Affected
Splunk Search vendor "Splunk"		Splunk Search vendor "Splunk" for product "Splunk"				>= 8.2.0 < 8.2.11 Search vendor "Splunk" for product "Splunk" and version " >= 8.2.0 < 8.2.11"		enterprise		Affected
Splunk Search vendor "Splunk"		Splunk Search vendor "Splunk" for product "Splunk"				>= 9.0.0 < 9.0.5 Search vendor "Splunk" for product "Splunk" and version " >= 9.0.0 < 9.0.5"		enterprise		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				< 9.0.2303.100 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " < 9.0.2303.100"		-		Affected