CVE-2022-23254
Published: 09 February 2022
Summary
CVE-2022-23254 is a medium-severity an unspecified weakness vulnerability in Microsoft Powerbi-Client Js Sdk. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Power BI contains an information disclosure vulnerability tracked as CVE-2022-23254. The flaw received a CVSS 3.1 score of 4.9 and is described by Microsoft as allowing unauthorized exposure of sensitive data when exploited under the listed conditions.
An attacker with high privileges can reach the affected Power BI component over the network with low attack complexity and no user interaction required. Successful exploitation yields high-impact disclosure of confidential information while leaving integrity and availability untouched.
Microsoft’s security update guide entry for CVE-2022-23254 directs administrators to the corresponding patch or configuration guidance published in the Microsoft Security Response Center. The associated EPSS score has remained flat at 0.0593 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28341
Vulnerability details
Microsoft Power BI Information Disclosure Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.