{
  "id": "CVE-2022-41925",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2022-11-23T19:15:12.487",
  "lastModified": "2024-11-21T07:24:04.933",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad identificada en el cliente Tailscale permite que un sitio web malicioso acceda a la API del mismo nivel, que luego puede usarse para acceder a las variables de entorno de Tailscale. En el cliente Tailscale, la API del mismo nivel era vulnerable a la nueva vinculaci\u00f3n de DNS. Esto permiti\u00f3 que un sitio web controlado por un atacante visitado por el nodo volviera a vincular el DNS para la API del mismo nivel a un servidor DNS controlado por el atacante y luego realizar solicitudes de API del mismo nivel en el cliente, incluido el acceso a las variables de entorno Tailscale del nodo. Un atacante con acceso a la API del mismo nivel en un nodo podr\u00eda usar ese acceso para leer las variables de entorno del nodo, incluidas las credenciales o secretos almacenados en las variables de entorno. Esto puede incluir claves de autenticaci\u00f3n de Tailscale, que luego podr\u00edan usarse para agregar nuevos nodos a la red trasera del usuario. El acceso a la API de pares tambi\u00e9n podr\u00eda usarse para conocer otros nodos en la tailnet o enviar archivos a trav\u00e9s de Taildrop. Todos los clientes de Tailscale anteriores a la versi\u00f3n v1.32.3 se ven afectados. Actualice a v1.32.3 o posterior para solucionar el problema."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 6.0
      }
    ],
    "cvssMetricV30": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
          "baseScore": 3.8,
          "baseSeverity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.32.3",
              "matchCriteriaId": "F2CCEDE3-89FA-4B6C-9BDA-4045A0090908"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://emily.id.au/tailscale",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://tailscale.com/security-bulletins/#ts-2022-005",
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://emily.id.au/tailscale",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://tailscale.com/security-bulletins/#ts-2022-005",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}