CVE-2022-43566 - Vulnerability Details - OpenCVE

ReportizFlow

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Splunk	Splunk Splunk Cloud Platform

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

References

Link	Providers
https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/
https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html

History

Mon, 05 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Splunk

Published: 2022-11-04T22:21:21.337Z

Updated: 2025-05-05T20:34:58.924Z

Reserved: 2022-10-20T18:37:09.182Z

Link: CVE-2022-43566

Vulnrichment

Updated: 2024-08-03T13:32:59.752Z

NVD

Status : Modified

Published: 2022-11-04T23:15:10.080

Modified: 2024-11-21T07:26:47.917

Link: CVE-2022-43566

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43566", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "state": "PUBLISHED", "assignerShortName": "Splunk", "requesterUserId": "d03a2723-f9e2-46d2-8173-16ee7d33f715", "dateReserved": "2022-10-20T18:37:09.182Z", "datePublished": "2022-11-04T22:21:21.337Z", "dateUpdated": "2025-05-05T20:34:58.924Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"lessThan": "8.1.12", "status": "affected", "version": "8.1", "versionType": "custom"}, {"lessThan": "8.2.9", "status": "affected", "version": "8.2", "versionType": "custom"}, {"lessThan": "9.0.2", "status": "affected", "version": "9.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anton (therceman)"}], "datePublic": "2022-11-02T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user\u2019s permissions to bypass </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards\">SPL safeguards for risky commands</a><span style=\"background-color: rgb(255, 255, 255);\"> in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.</span><br>"}], "value": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user\u2019s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards \u00a0in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2022-11-04T22:21:21.337Z"}, "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html"}, {"url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/"}], "source": {"advisory": "SVD-2022-1106", "discovery": "EXTERNAL"}, "title": "Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk Enterprise"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.752Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html", "tags": ["x_transferred"]}, {"url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-05T20:34:42.699126Z", "id": "CVE-2022-43566", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T20:34:58.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html", "tags": ["x_transferred"]}, {"url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.752Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-43566", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-05T20:34:42.699126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T20:34:52.903Z"}}], "cna": {"title": "Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk Enterprise", "source": {"advisory": "SVD-2022-1106", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anton (therceman)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "8.1", "lessThan": "8.1.12", "versionType": "custom"}, {"status": "affected", "version": "8.2", "lessThan": "8.2.9", "versionType": "custom"}, {"status": "affected", "version": "9.0", "lessThan": "9.0.2", "versionType": "custom"}], "defaultStatus": "affected"}], "datePublic": "2022-11-02T16:00:00.000Z", "references": [{"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html"}, {"url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user\u2019s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards \u00a0in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user\u2019s permissions to bypass </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards\">SPL safeguards for risky commands</a><span style=\"background-color: rgb(255, 255, 255);\"> in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "42b59230-ec95-491e-8425-5a5befa1a469", "shortName": "Splunk", "dateUpdated": "2022-11-04T22:21:21.337Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43566", "state": "PUBLISHED", "dateUpdated": "2025-05-05T20:34:58.924Z", "dateReserved": "2022-10-20T18:37:09.182Z", "assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469", "datePublished": "2022-11-04T22:21:21.337Z", "requesterUserId": "d03a2723-f9e2-46d2-8173-16ee7d33f715", "assignerShortName": "Splunk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "697F9803-FC99-4149-A4E5-55A3A8CB1D18", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "07617B0C-3704-4DB5-B416-94B77A5C2EEE", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "867EFF29-96B9-44EF-93CE-8E7DB77B086E", "versionEndExcluding": "9.0.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "968C9207-1208-43E0-ABA5-1008BE594FDF", "versionEndExcluding": "9.0.2208", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user\u2019s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards \u00a0in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.\n"}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 8.2.9, 8.1.12 y 9.0.2, un usuario autenticado puede ejecutar comandos con riesgo utilizando los permisos de un usuario con m\u00e1s privilegios para evitar las protecciones de SPL para comandos con riesgo https://docs.splunk.com/ Documentaci\u00f3n/SplunkCloud/latest/Security/SPLsafeguards en el espacio de trabajo de Analytics. La vulnerabilidad requiere que el atacante realice phishing a la v\u00edctima enga\u00f1\u00e1ndola para que inicie una solicitud dentro de su navegador. El atacante no puede explotar la vulnerabilidad a voluntad."}], "id": "CVE-2022-43566", "lastModified": "2024-11-21T07:26:47.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-11-04T23:15:10.080", "references": [{"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://research.splunk.com/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1106.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "[email protected]", "type": "Primary"}]}