CVE-2022-43563 - OpenCVE

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Splunk	Splunk Splunk Cloud Platform

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

References

Link	Providers
https://www.splunk.com/en_us/product-security/announcements/svd-2022-1103.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: Splunk

Published: 2022-11-04T22:19:55.669Z

Updated: 2024-08-03T13:32:59.588Z

Reserved: 2022-10-20T18:37:09.181Z

Link: CVE-2022-43563

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-04T23:15:09.887

Modified: 2023-11-07T03:53:56.263

Link: CVE-2022-43563

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43563", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "state": "PUBLISHED", "assignerShortName": "Splunk", "requesterUserId": "d03a2723-f9e2-46d2-8173-16ee7d33f715", "dateReserved": "2022-10-20T18:37:09.181Z", "datePublished": "2022-11-04T22:19:55.669Z", "dateUpdated": "2024-08-03T13:32:59.588Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"lessThan": "8.1.12", "status": "affected", "version": "8.1", "versionType": "custom"}, {"lessThan": "8.2.9", "status": "affected", "version": "8.2", "versionType": "custom"}]}], "datePublic": "2022-11-02T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards\">SPL safeguards for risky commands</a><span style=\"background-color: rgb(255, 255, 255);\">. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.</span><br>"}], "value": "In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2022-11-04T22:19:55.669Z"}, "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1103.html"}], "source": {"advisory": "SVD-2022-1103", "discovery": "INTERNAL"}, "title": "Risky command safeguards bypass via rex search command field names in Splunk Enterprise"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.588Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1103.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "697F9803-FC99-4149-A4E5-55A3A8CB1D18", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "07617B0C-3704-4DB5-B416-94B77A5C2EEE", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "918AC184-EBFB-4715-BA0F-B848FA9503FF", "versionEndExcluding": "9.0.2203", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.\n"}, {"lang": "es", "value": "En las versiones de Splunk Enterprise inferiores a 8.2.9 y 8.1.12, la forma en que el comando de b\u00fasqueda rex maneja los nombres de los campos permite a un atacante omitir las protecciones de SPL para comandos riesgosos https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ Salvaguardias SPL. La vulnerabilidad requiere que el atacante realice phishing a la v\u00edctima enga\u00f1\u00e1ndola para que inicie una solicitud dentro de su navegador. El atacante no puede explotar la vulnerabilidad a voluntad."}], "id": "CVE-2022-43563", "lastModified": "2023-11-07T03:53:56.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "prodsec@splunk.com", "type": "Secondary"}]}, "published": "2022-11-04T23:15:09.887", "references": [{"source": "prodsec@splunk.com", "tags": ["Vendor Advisory"], "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1103.html"}], "sourceIdentifier": "prodsec@splunk.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "prodsec@splunk.com", "type": "Secondary"}]}