cbcvebase.
CVE-2022-43571
published 2022-11-03

CVE-2022-43571: In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.31%
96.2th percentile
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

Affected

7 ranges
VendorProductVersion rangeFixed in
splunksplunk>= 8.1.0 < 8.1.128.1.12
splunksplunk>= 8.2.0 < 8.2.98.2.9
splunksplunk>= 9.0.0 < 9.0.29.0.2
splunksplunk_cloud_platform< 9.0.22099.0.2209
splunksplunk_enterprise>= 8.1 < 8.1.128.1.12
splunksplunk_enterprise>= 8.2 < 8.2.98.2.9
splunksplunk_enterprise>= 9.0 < 9.0.29.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/en-US/splunkd/__raw/servicesNS/nobody/search/data/ui/views
path/en-US/splunkd/__raw/servicesNS/nobody/search/data/ui/views
  • Monitor Splunk dashboard SimpleXML definitions for Python code injected into style parameters such as fillColor or lineColor of sparkline elements.
  • Alert on authenticated POST requests to Splunk's dashboard/views API endpoint followed closely by a PDF export trigger, which is the execution vector for this vulnerability.
  • Inspect Splunk dashboard XML payloads for embedded Python expressions or imports within sparkline chart style attributes (fillColor, lineColor), which are not expected in legitimate dashboards.
  • Flag Splunk Enterprise instances running versions below 8.1.12, 8.2.0–8.2.9, or 9.0.0–9.0.2 as vulnerable to this authenticated RCE via PDF generation.
  • ·Exploitation requires an authenticated session; unauthenticated access alone is insufficient to trigger this RCE.
  • ·The vulnerability is specifically triggered via the PDF export function; dashboards that are never exported to PDF do not expose the execution path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.