Login Sign Up

CVE-2023-32706

7.7 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to send specially-crafted XML messages to Splunk's SAML authentication parser, causing a denial of service that crashes the Splunk daemon. It affects Splunk Enterprise deployments with SAML authentication enabled on vulnerable versions. Organizations running affected Splunk versions with internet-facing interfaces are particularly at risk.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Below 9.0.5, 8.2.11, and 8.1.14
Operating Systems: All supported platforms
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when SAML authentication is configured and enabled.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk Cloud Platform by Splunk

View all CVEs affecting Splunk Cloud Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Splunk Enterprise, disrupting log collection, monitoring, and security operations until manual restart.

🟠

Likely Case

Intermittent service disruptions affecting Splunk search capabilities, dashboard access, and data ingestion.

🟢

If Mitigated

Minimal impact if patched or if SAML authentication is disabled and proper network segmentation is in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending crafted XML to SAML endpoint; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.5, 8.2.11, or 8.1.14

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2023-0601

Restart Required: Yes

Instructions:

1. Download appropriate patched version from Splunk website. 2. Backup configuration and data. 3. Install update following Splunk upgrade procedures. 4. Restart Splunk services.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication if not required, using alternative authentication methods.

Edit authentication.conf to disable SAML settings
Restart Splunk services

Network Access Control

all

Restrict access to Splunk SAML endpoints to trusted networks only.

Configure firewall rules to block external access to Splunk SAML ports (typically 8000, 8089)

🧯 If You Can't Patch

  • Implement strict network segmentation to limit access to Splunk SAML endpoints
  • Deploy WAF or IPS with XML parsing protection rules

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI; verify if SAML is enabled in authentication.conf.

Check Version:

splunk version

Verify Fix Applied:

Confirm version is 9.0.5+, 8.2.11+, or 8.1.14+ and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

  • Splunk daemon crash logs
  • Unusual XML parsing errors in splunkd.log
  • Failed SAML authentication attempts from unexpected sources

Network Indicators:

  • Unusual XML payloads to SAML endpoints
  • High volume of requests to /saml endpoints

SIEM Query:

source="*splunkd.log" ("XML parsing error" OR "daemon crash" OR "SAML")

📊 Metadata

CVE ID: CVE-2023-32706
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-611
Published: June 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32706, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)