CVE-2023-32717: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2023-32717 affects Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100. The vulnerability allows an unauthorized user to access the '/services/indexing/preview' REST endpoint and overwrite search results if they know the search ID (SID) of an existing search job (Splunk Advisory).

The vulnerability is classified as an improper authorization issue (CWE-285) with a CVSSv3.1 score of 4.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N) (Splunk Advisory).

The vulnerability allows attackers to overwrite search results by exploiting the REST endpoint's lack of proper role-based access controls (RBAC) with respect to SID ownership. The exploit requires the user to have a role with 'editmonitor' and 'edituploadandindex' capabilities (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.0.5, 8.2.11, or 8.1.14 and higher. For Splunk Cloud Platform, Splunk monitors and patches affected instances. As a workaround, administrators can remove the 'editmonitor' and 'edituploadandindex' capabilities from roles held by low-privilege user accounts and ensure proper access control lists (ACLs) are applied to all REST endpoints (Splunk Advisory).