CVE-2024-23675: 
Splunk Enterprise vulnerability analysis and mitigation

Splunk app key value store (KV Store) vulnerability (CVE-2024-23675) was discovered in Splunk Enterprise versions below 9.0.8 and 9.1.3. The vulnerability involves improper handling of permissions for users utilizing the REST application programming interface (API). The issue was disclosed on January 22, 2024, and affects Splunk Enterprise 9.0 and 9.1 series, as well as certain versions of Splunk Cloud Platform (Splunk Advisory).

The vulnerability has been assigned a CVSSv3.1 score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The issue stems from incorrect authorization handling in the KV Store component when processing REST API requests. The vulnerability is classified under CWE-284, relating to improper access control (Splunk Advisory).

The primary impact of this vulnerability is the potential unauthorized deletion of KV Store collections. This could result in significant data loss and disruption to systems relying on the KV Store functionality (Splunk Advisory).

Several mitigation options are available: 1) Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher, 2) Remove the list_all_objects capability from users who don't require it (note: this may significantly impair user functionality), 3) Disable KV Store if not in use. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances to version 9.1.2312.100 or higher (Splunk Advisory).