Splunk recently announced security updates for Splunk Enterprise, which fix several high-severity vulnerabilities, some of which affect third-party packages utilized by the product. Among the most critical vulnerabilities is CVE-2023-32707, a privilege escalation issue that enables low-privileged users with the 'edit_user' capability to elevate their privileges to administrator level through a specially crafted web request. According to a Splunk advisory, this occurs because the 'edit_user' capability does not respect the 'grantableRoles' setting in the authorize.conf configuration file, which would otherwise prevent such a scenario.
Another significant vulnerability is CVE-2023-32706, a denial-of-service (DoS) flaw in the Splunk daemon. The issue arises when an improperly configured XML parser receives specially crafted messages within SAML authentication containing a reference to an entity expansion. Recursive references may cause the XML parser to consume all available memory on the system, leading to the daemon's crash or process termination.
Splunk Enterprise also addressed CVE-2023-32708, an HTTP response splitting issue that allows a low-privileged user to access other REST endpoints on the system and view restricted content. In addition to these vulnerabilities, Splunk resolved multiple severe issues in third-party packages used in Splunk Enterprise, such as Libxml2, OpenSSL, Curl, Libarchive, SQLite, Go, and others. Some of these vulnerabilities have been public for over four years.
The company released Splunk Enterprise versions 8.1.14, 8.2.11, and 9.0.5 to address these flaws, as well as multiple medium-severity vulnerabilities. Splunk also announced patches for high-severity bugs in the Splunk App for Lookup File Editing and Splunk App for Stream, along with fixes for severe issues in third-party packages used in Splunk Universal Forwarders and Splunk Cloud. More information about the patched vulnerabilities can be found on Splunk's security advisories page.