Cyber Resilience

CVE-2022-23254

Medium

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0593 90.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23254 is a medium-severity an unspecified weakness vulnerability in Microsoft Powerbi-Client Js Sdk. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Power BI contains an information disclosure vulnerability tracked as CVE-2022-23254. The flaw received a CVSS 3.1 score of 4.9 and is described by Microsoft as allowing unauthorized exposure of sensitive data when exploited under the listed conditions.

An attacker with high privileges can reach the affected Power BI component over the network with low attack complexity and no user interaction required. Successful exploitation yields high-impact disclosure of confidential information while leaving integrity and availability untouched.

Microsoft’s security update guide entry for CVE-2022-23254 directs administrators to the corresponding patch or configuration guidance published in the Microsoft Security Response Center. The associated EPSS score has remained flat at 0.0593 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Microsoft Power BI Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
powerbi-client js sdk
≤ 2.19.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References