Vulnerability in Splunk Enterprise and Splunk Cloud could lead to deletion of KV Store collections.
This CVE, assigned by Splunk, involves a vulnerability in Splunk Enterprise and Splunk Cloud that could potentially lead to the deletion of KV Store collections due to improper handling of permissions by the Splunk app key value store (KV Store).
Understanding CVE-2024-23675
This vulnerability poses a medium risk level with a CVSS base score of 6.5. It affects Splunk Enterprise versions below 9.0.8 and 9.1.3, as well as Splunk Cloud versions less than 9.1.2312.100.
What is CVE-2024-23675?
In Splunk Enterprise versions below 9.0.8 and 9.1.3, the Splunk app key value store (KV Store) does not handle permissions properly for users utilizing the REST API. This improper handling of permissions can potentially result in the deletion of KV Store collections, impacting data integrity and availability.
The Impact of CVE-2024-23675
The vulnerability allows unauthorized users to manipulate KV Store collections, leading to potential data loss and compromise of sensitive information stored within the affected systems. This could result in a disruption of services and compromise the overall security posture of the organization using Splunk Enterprise or Splunk Cloud.
Technical Details of CVE-2024-23675
The vulnerability arises from the improper permissions handling within the Splunk app key value store (KV Store) for users interacting with the REST API, which can trigger the deletion of KV Store collections.
Vulnerability Description
The flaw in Splunk Enterprise and Splunk Cloud versions allows unauthorized actors to access and manipulate KV Store collections, potentially leading to data deletion or unauthorized data access.
Affected Systems and Versions
Exploitation Mechanism
By exploiting the vulnerability in the permissions handling of the Splunk app key value store, malicious actors could trigger the deletion of KV Store collections through the REST API, impacting data integrity and availability.
Mitigation and Prevention
To mitigate the risks associated with CVE-2024-23675, immediate actions and long-term security practices are recommended.
Immediate Steps to Take
Long-Term Security Practices
Patching and Updates
Ensure that Splunk Enterprise is updated to version 9.0.8 or above, and Splunk Cloud is updated to version 9.1.2312.100 or higher to patch the vulnerability and enhance the security posture of the affected systems.