CVE-2023-32707: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2023-32707 is a privilege escalation vulnerability affecting Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100. The vulnerability was discovered and disclosed in June 2023. It allows a low-privileged user who holds a role with the 'edit_user' capability to escalate their privileges to that of the admin user by providing specially crafted web requests (Splunk Advisory, SecurityWeek).

The vulnerability occurs because the 'edit_user' capability does not honor the 'grantableRoles' setting in the authorize.conf configuration file, which should prevent privilege escalation scenarios. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-285 (Improper Authorization) (Splunk Advisory, CERT-EU).

If exploited, this vulnerability allows attackers to gain full administrative access to the Splunk environment. An attacker could potentially take over the admin account and upload malicious apps, achieving remote code execution. This level of access could lead to unauthorized data access, system modifications, and potential data breaches (Rapid7).

The primary mitigation is to upgrade to the fixed versions: Splunk Enterprise 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, Splunk has actively patched and monitored the affected instances. As a workaround, organizations should confirm that no role, other than the admin role or its equivalent, has the 'edituser' capability assigned to it. Additionally, the 'edituser' capability should not be assigned to a role from which other roles inherit, nor should it be assigned to users with low or no privileges (Splunk Advisory).