Headline
CVE-2022-43571: SVD-2022-1111 | Splunk
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
Advisory ID: SVD-2022-1111
Published: 2022-11-02
CVSSv3.1 Score: 8.8, High
CWE: CWE-94
CVE ID: CVE-2022-43571
Last Update: 2022-11-02
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Bug ID: SPL-228720
Description
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
Solution
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform versions below 9.0.2209, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you’re running, then create a new support case.
Product Status
Product
Version
Component
Affected Version
Fixed Version
Splunk Enterprise
8.1
-
8.1.11 and lower
8.1.12
Splunk Enterprise
8.2
-
8.2.0 to 8.2.8
8.2.9
Splunk Enterprise
9.0
-
9.0.0 to 9.0.1
9.0.2
Splunk Cloud Platform
-
-
9.0.2208 and lower
9.0.2209
Mitigations and Workarounds
None
Detections
Splunk Code Injection via custom dashboard leading to RCE
This detection search provides information about a vulnerability in Splunk Enterprise versions below 8.1.12, 8.2.9, 9.0.2209 and 9.0.2 where an authenticated user can execute arbitrary code remotely through the dashboard PDF generation component.
**Severity **
Splunk rates the vulnerability as High, 8.8, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires user access to create a dashboard.
Acknowledgments
Danylo Dmytriiev (DDV_UA)
Questions? Submit your question to Splunk Support.