CVE-2022-23254: Microsoft Power BI Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 4.9)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Feb

Released

2022-02-08

Last Updated

2022-02-08

EPSS Score

5.93% (percentile: 90.6%)

FAQ

What actions do I need to take to be protected from this vulnerability? The main update will be automatically pushed to all affected products and services. We recommend that customers update PowerBI Client JS SDK to version 2.19.1. The package can be downloaded from NPM or NuGet Gallery. How do I know if I am affected? Our team will contact customers that are affected by this vulnerability. We recommend that affected customers save their Power Apps to ensure the fix takes effect as expected.

Affected Products (1)

SQL Server

• PowerBI-client JS SDK

Security Updates (1)

• Release Notes

Revision History

• 2022-02-08: Information published.
• 2022-02-08: Corrected the CVE title and description to address the vulnerability as Information Disclosure. In the Affected Products table, corrected the Impact to Information Disclosure. This is an informational change only.