CVE-2023-32707
published 2023-06-01CVE-2023-32707: In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
73.54%
99.4th percentile
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 8.1.0 < 8.1.14 | 8.1.14 |
| splunk | splunk | >= 8.2.0 < 8.2.11 | 8.2.11 |
| splunk | splunk | >= 9.0.0 < 9.0.5 | 9.0.5 |
| splunk | splunk_cloud_platform | < 9.0.2303.100 | 9.0.2303.100 |
| splunk | splunk_cloud_platform | >= - < 9.0.2303.100 | 9.0.2303.100 |
| splunk | splunk_enterprise | >= 8.1 < 8.1.14 | 8.1.14 |
| splunk | splunk_enterprise | >= 8.2 < 8.2.11 | 8.2.11 |
| splunk | splunk_enterprise | >= 9.0 < 9.0.5 | 9.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /services/authentication/users/{target_user}?output_mode=json with payload: password=<new_password>&force-change-pass=0&locked-out=0↗
- →The Metasploit module abuses the privilege escalation to change the admin password and then upload a malicious app for RCE — monitor for unexpected app uploads following admin password changes. ↗
- →Flag GET requests to /services/authentication/users/<username>?output_mode=json from low-privileged accounts as potential reconnaissance for CVE-2023-32707 exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Splunk 9.0.5 - admin account take over
exploitdb·2023-10-09·CVSS 8.8
CVE-2023-32707 [HIGH] Splunk 9.0.5 - admin account take over
Splunk 9.0.5 - admin account take over
---
#!/usr/bin/env python3
#
# Exploit Title: Splunk 9.0.5 - admin account take over
# Author: [Redway Security](https://twitter.com/redwaysec))
# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)
#CVE: CVE-2023-32707
# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
#
# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
#
import argparse
import requests
import random
import string
import base64
# ignore warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Parse command-line arguments
parser = argparse.Argume
Metasploit
Splunk "edit_user" Capability Privilege Escalation
metasploit
Splunk "edit_user" Capability Privilege Escalation
Splunk "edit_user" Capability Privilege Escalation
A low-privileged user who holds a role that has the "edit_user" capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.
No writeups or analysis indexed.
2023-06-01
Published