CVE-2022-43565 - OpenCVE

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Splunk	Splunk Splunk Cloud Platform

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

References

Link	Providers
https://www.splunk.com/en_us/product-security/announcements/svd-2022-1105.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: Splunk

Published: 2022-11-04T22:20:55.783Z

Updated: 2024-08-03T13:32:59.756Z

Reserved: 2022-10-20T18:37:09.181Z

Link: CVE-2022-43565

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-04T23:15:10.023

Modified: 2023-11-07T03:53:56.390

Link: CVE-2022-43565

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43565", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "state": "PUBLISHED", "assignerShortName": "Splunk", "requesterUserId": "d03a2723-f9e2-46d2-8173-16ee7d33f715", "dateReserved": "2022-10-20T18:37:09.181Z", "datePublished": "2022-11-04T22:20:55.783Z", "dateUpdated": "2024-08-03T13:32:59.756Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"lessThan": "8.1.12", "status": "affected", "version": "8.1", "versionType": "custom"}, {"lessThan": "8.2.9", "status": "affected", "version": "8.2", "versionType": "custom"}]}], "datePublic": "2022-11-02T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the \u2018tstats command handles Javascript Object Notation (JSON) lets an attacker bypass </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards\">SPL safeguards for risky commands</a><span style=\"background-color: rgb(255, 255, 255);\">. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. </span><br>"}], "value": "In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the \u2018tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. \n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2022-11-04T22:20:55.783Z"}, "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1105.html"}], "source": {"advisory": "SVD-2022-1105", "discovery": "INTERNAL"}, "title": "Risky command safeguards bypass via \u2018tstats command JSON in Splunk Enterprise"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.756Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1105.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "697F9803-FC99-4149-A4E5-55A3A8CB1D18", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "07617B0C-3704-4DB5-B416-94B77A5C2EEE", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "918AC184-EBFB-4715-BA0F-B848FA9503FF", "versionEndExcluding": "9.0.2203", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the \u2018tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. \n"}, {"lang": "es", "value": "En las versiones de Splunk Enterprise inferiores a 8.2.9 y 8.1.12, la forma en que el comando ?tstats maneja la Notaci\u00f3n de Objetos JavaScript (JSON) permite a un atacante eludir las protecciones de SPL para comandos con riesgo https://docs.splunk.com/Documentation/SplunkCloud/ \u00faltimo/Security/SPLsafeguards. La vulnerabilidad requiere que el atacante realice phishing a la v\u00edctima enga\u00f1\u00e1ndola para que inicie una solicitud dentro de su navegador."}], "id": "CVE-2022-43565", "lastModified": "2023-11-07T03:53:56.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "prodsec@splunk.com", "type": "Secondary"}]}, "published": "2022-11-04T23:15:10.023", "references": [{"source": "prodsec@splunk.com", "tags": ["Vendor Advisory"], "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1105.html"}], "sourceIdentifier": "prodsec@splunk.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "prodsec@splunk.com", "type": "Secondary"}]}