Strix
26.1K

CVE-2022-22127

HIGHCVSS 7.2/10EPSS 0.97%

Last modified

CVE-2022-22127 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to data.Tableau Server versions affected are:2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 and earlierNote: All future releases of Tableau Server will address this security issue. EPSS estimates a 0.97% chance of exploitation in the next 30 days.

Description

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to data.Tableau Server versions affected are:2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 and earlierNote: All future releases of Tableau Server will address this security issue. Versions that are no longer supported are not tested and may be vulnerable.

Metrics

CVSS 3.1
7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.97%

57.4th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
TableauTableau Server>= 2020.4, <= 2020.4.16
TableauTableau Server>= 2021.1, <= 2021.1.13
TableauTableau Server>= 2021.2, <= 2021.2.10
TableauTableau Server>= 2021.3, <= 2021.3.9
TableauTableau Server>= 2021.4, <= 2021.4.4

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-22127?
Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to data.Tableau Server versions affected are:2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 and earlierNote: All future releases of Tableau Server will address this security issue. Versions that are no longer supported are not tested and may be vulnerable.
How severe is CVE-2022-22127?
CVE-2022-22127 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 0.97% probability of exploitation in the next 30 days.
How do I fix CVE-2022-22127?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-22127?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST