Splunk AI Toolkit Improper Access Control Vulnerability in Role Inheritance

A vulnerability exists in Splunk AI Toolkit versions prior to 5.7.3, allowing low-privileged users without 'admin' or 'power' roles to access confidential data restricted by 'srchFilter' configurations on custom roles. The issue arises because the app's 'authorize.conf' file modifies the default 'user' role, and Splunk's platform combines inherited search filters with the 'OR' operator. This combination allows the injected filter to override more restrictive filters on child roles, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to confidential data, bypassing role-based restrictions.

Remediation

Users are advised to upgrade Splunk AI Toolkit to version 5.7.3 or higher. If upgrading is not immediately possible, the app can be turned off until a patched version is available. Alternatively, the 'authorize.conf' file can be edited to remove the 'srchFilter' line or to add a 'srchFilter' line with an empty value, which will override the default 'srchFilter' entry. After making these changes, the Splunk platform instance should be restarted.