Splunk App for SOAR Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the Splunk App for SOAR, specifically in versions 1.0.67 and earlier. The issue arises because the Splunk documentation for these versions recommended granting the 'admin_all_objects' capability to the 'splunk_app_soar' role. This could result in improper access control, allowing low-privileged users without 'admin' roles to gain elevated permissions.

Impact

Exploitation of this vulnerability allows low-privileged users with the 'splunk_app_soar' role to gain unauthorized access rights, potentially leading to elevated privileges within the Splunk environment.

Remediation

Users who have not modified the 'splunk_app_soar' role should upgrade to version 1.0.71 or higher. Those who have made changes to the role should manually delete it or remove any high-privileged capabilities before upgrading. For more details, consult the Splunk documentation on roles and capabilities.