role, to escalate their privileges to an admin level by crafting specific web requests. This not only exposes sensitive data but also opens doors for unauthorized control over the system.Experts have flagged versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14 as susceptible. The exploit works by manipulating the
capability, enabling a malicious actor to change another user’s password, effectively hijacking that account. A script provided as proof of concept demonstrates the simplicity yet the significant impact of the exploit.
Solutions and MitigationsUsers are urged to upgrade to Splunk Enterprise versions 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, patches are being actively applied and monitored by Splunk. Additionally, ensuring that the
capability is only assigned to the admin role or its equivalent can serve as a mitigation measure.
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
Splunk Cloud Platform
9.0.2303 and below
Disclaimer: The code snippet provided is for educational purposes only. Misuse of this information for illegal activities is strictly prohibited.