|
99770 | 99770 | "session_types": false, |
99771 | 99771 | "needs_cleanup": null |
99772 | 99772 | }, |
| 99773 | + "exploit_multi/http/splunk_privilege_escalation_cve_2023_32707": { |
| 99774 | + "name": "Splunk \"edit_user\" Capability Privilege Escalation", |
| 99775 | + "fullname": "exploit/multi/http/splunk_privilege_escalation_cve_2023_32707", |
| 99776 | + "aliases": [ |
| 99777 | + |
| 99778 | + ], |
| 99779 | + "rank": 600, |
| 99780 | + "disclosure_date": "2023-06-01", |
| 99781 | + "type": "exploit", |
| 99782 | + "author": [ |
| 99783 | + "Mr Hack (try_to_hack) Santiago Lopez", |
| 99784 | + "Heyder Andrade", |
| 99785 | + "Redway Security <redwaysecurity.com>" |
| 99786 | + ], |
| 99787 | + "description": "A low-privileged user who holds a role that has the \"edit_user\" capability assigned to it\n can escalate their privileges to that of the admin user by providing a specially crafted web request.\n This is because the \"edit_user\" capability does not honor the \"grantableRoles\" setting in the authorize.conf\n configuration file, which prevents this scenario from happening.\n\n This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.", |
| 99788 | + "references": [ |
| 99789 | + "CVE-2023-32707", |
| 99790 | + "URL-https://advisory.splunk.com/advisories/SVD-2023-0602", |
| 99791 | + "URL-https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html", |
| 99792 | + "URL-https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707" |
| 99793 | + ], |
| 99794 | + "platform": "Linux,OSX,Unix,Windows", |
| 99795 | + "arch": "", |
| 99796 | + "rport": 8000, |
| 99797 | + "autofilter_ports": [ |
| 99798 | + 80, |
| 99799 | + 8080, |
| 99800 | + 443, |
| 99801 | + 8000, |
| 99802 | + 8888, |
| 99803 | + 8880, |
| 99804 | + 8008, |
| 99805 | + 3000, |
| 99806 | + 8443 |
| 99807 | + ], |
| 99808 | + "autofilter_services": [ |
| 99809 | + "http", |
| 99810 | + "https" |
| 99811 | + ], |
| 99812 | + "targets": [ |
| 99813 | + "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux", |
| 99814 | + "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows" |
| 99815 | + ], |
| 99816 | + "mod_time": "2023-10-26 14:03:06 +0000", |
| 99817 | + "path": "/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb", |
| 99818 | + "is_install_path": true, |
| 99819 | + "ref_name": "multi/http/splunk_privilege_escalation_cve_2023_32707", |
| 99820 | + "check": true, |
| 99821 | + "post_auth": true, |
| 99822 | + "default_credential": false, |
| 99823 | + "notes": { |
| 99824 | + "Stability": [ |
| 99825 | + "crash-safe" |
| 99826 | + ], |
| 99827 | + "Reliability": [ |
| 99828 | + "repeatable-session" |
| 99829 | + ], |
| 99830 | + "SideEffects": [ |
| 99831 | + "ioc-in-logs" |
| 99832 | + ] |
| 99833 | + }, |
| 99834 | + "session_types": false, |
| 99835 | + "needs_cleanup": null |
| 99836 | + }, |
99773 | 99837 | "exploit_multi/http/splunk_upload_app_exec": { |
99774 | 99838 | "name": "Splunk Custom App Remote Code Execution", |
99775 | 99839 | "fullname": "exploit/multi/http/splunk_upload_app_exec", |
|
0 commit comments