From 0cae369a455a1a60ac1265509b849162694de4bc Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Thu, 26 Oct 2023 10:49:41 -0500
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 64 +++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 859c633c77..092862c1cc 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -99770,6 +99770,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/splunk_privilege_escalation_cve_2023_32707": {
+    "name": "Splunk \"edit_user\" Capability Privilege Escalation",
+    "fullname": "exploit/multi/http/splunk_privilege_escalation_cve_2023_32707",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-01",
+    "type": "exploit",
+    "author": [
+      "Mr Hack (try_to_hack) Santiago Lopez",
+      "Heyder Andrade",
+      "Redway Security <redwaysecurity.com>"
+    ],
+    "description": "A low-privileged user who holds a role that has the \"edit_user\" capability assigned to it\n          can escalate their privileges to that of the admin user by providing a specially crafted web request.\n          This is because the \"edit_user\" capability does not honor the \"grantableRoles\" setting in the authorize.conf\n          configuration file, which prevents this scenario from happening.\n\n          This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.",
+    "references": [
+      "CVE-2023-32707",
+      "URL-https://advisory.splunk.com/advisories/SVD-2023-0602",
+      "URL-https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html",
+      "URL-https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux",
+      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows"
+    ],
+    "mod_time": "2023-10-26 14:03:06 +0000",
+    "path": "/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/splunk_privilege_escalation_cve_2023_32707",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/splunk_upload_app_exec": {
     "name": "Splunk Custom App Remote Code Execution",
     "fullname": "exploit/multi/http/splunk_upload_app_exec",