CVE-2022-43571
published 2022-11-03CVE-2022-43571: In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.31%
96.2th percentile
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 8.1.0 < 8.1.12 | 8.1.12 |
| splunk | splunk | >= 8.2.0 < 8.2.9 | 8.2.9 |
| splunk | splunk | >= 9.0.0 < 9.0.2 | 9.0.2 |
| splunk | splunk_cloud_platform | < 9.0.2209 | 9.0.2209 |
| splunk | splunk_enterprise | >= 8.1 < 8.1.12 | 8.1.12 |
| splunk | splunk_enterprise | >= 8.2 < 8.2.9 | 8.2.9 |
| splunk | splunk_enterprise | >= 9.0 < 9.0.2 | 9.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Splunk dashboard SimpleXML definitions for Python code injected into style parameters such as fillColor or lineColor of sparkline elements. ↗
- →Alert on authenticated POST requests to Splunk's dashboard/views API endpoint followed closely by a PDF export trigger, which is the execution vector for this vulnerability. ↗
- →Inspect Splunk dashboard XML payloads for embedded Python expressions or imports within sparkline chart style attributes (fillColor, lineColor), which are not expected in legitimate dashboards. ↗
- →Flag Splunk Enterprise instances running versions below 8.1.12, 8.2.0–8.2.9, or 9.0.0–9.0.2 as vulnerable to this authenticated RCE via PDF generation. ↗
- ·Exploitation requires an authenticated session; unauthenticated access alone is insufficient to trigger this RCE. ↗
- ·The vulnerability is specifically triggered via the PDF export function; dashboards that are never exported to PDF do not expose the execution path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://research.splunk.com/application/b06b41d7-9570-4985-8137-0784f582a1b3/https://www.splunk.com/en_us/product-security/announcements/svd-2022-1111.htmlhttps://research.splunk.com/application/b06b41d7-9570-4985-8137-0784f582a1b3/https://www.splunk.com/en_us/product-security/announcements/svd-2022-1111.html
2022-11-03
Published