CVE-2022-41925 (GCVE-0-2022-41925)

Vulnerability from cvelistv5 – Published: 2022-11-23 00:00 – Updated: 2025-04-22 16:01
VLAI?
Title
Tailscale daemon is vulnerable to information disclosure via CSRF
Summary
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
Severity ?
3.8 (Low)
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
tailscale tailscale Affected: < 1.32.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:38.535Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://emily.id.au/tailscale"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tailscale.com/security-bulletins/#ts-2022-005"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41925",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:41:13.012397Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T16:01:34.072Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tailscale",
          "vendor": "tailscale",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.32.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-23T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
        },
        {
          "url": "https://emily.id.au/tailscale"
        },
        {
          "url": "https://tailscale.com/security-bulletins/#ts-2022-005"
        }
      ],
      "source": {
        "advisory": "GHSA-qccm-wmcq-pwr6",
        "discovery": "UNKNOWN"
      },
      "title": "Tailscale daemon is vulnerable to information disclosure via CSRF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41925",
    "datePublished": "2022-11-23T00:00:00.000Z",
    "dateReserved": "2022-09-30T00:00:00.000Z",
    "dateUpdated": "2025-04-22T16:01:34.072Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.32.3\", \"matchCriteriaId\": \"F2CCEDE3-89FA-4B6C-9BDA-4045A0090908\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad identificada en el cliente Tailscale permite que un sitio web malicioso acceda a la API del mismo nivel, que luego puede usarse para acceder a las variables de entorno de Tailscale. En el cliente Tailscale, la API del mismo nivel era vulnerable a la nueva vinculaci\\u00f3n de DNS. Esto permiti\\u00f3 que un sitio web controlado por un atacante visitado por el nodo volviera a vincular el DNS para la API del mismo nivel a un servidor DNS controlado por el atacante y luego realizar solicitudes de API del mismo nivel en el cliente, incluido el acceso a las variables de entorno Tailscale del nodo. Un atacante con acceso a la API del mismo nivel en un nodo podr\\u00eda usar ese acceso para leer las variables de entorno del nodo, incluidas las credenciales o secretos almacenados en las variables de entorno. Esto puede incluir claves de autenticaci\\u00f3n de Tailscale, que luego podr\\u00edan usarse para agregar nuevos nodos a la red trasera del usuario. El acceso a la API de pares tambi\\u00e9n podr\\u00eda usarse para conocer otros nodos en la tailnet o enviar archivos a trav\\u00e9s de Taildrop. Todos los clientes de Tailscale anteriores a la versi\\u00f3n v1.32.3 se ven afectados. Actualice a v1.32.3 o posterior para solucionar el problema.\"}]",
      "id": "CVE-2022-41925",
      "lastModified": "2024-11-21T07:24:04.933",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 6.0}], \"cvssMetricV30\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N\", \"baseScore\": 3.8, \"baseSeverity\": \"LOW\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 1.4}]}",
      "published": "2022-11-23T19:15:12.487",
      "references": "[{\"url\": \"https://emily.id.au/tailscale\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://tailscale.com/security-bulletins/#ts-2022-005\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://emily.id.au/tailscale\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://tailscale.com/security-bulletins/#ts-2022-005\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-41925\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-23T19:15:12.487\",\"lastModified\":\"2024-11-21T07:24:04.933\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad identificada en el cliente Tailscale permite que un sitio web malicioso acceda a la API del mismo nivel, que luego puede usarse para acceder a las variables de entorno de Tailscale. En el cliente Tailscale, la API del mismo nivel era vulnerable a la nueva vinculaci\u00f3n de DNS. Esto permiti\u00f3 que un sitio web controlado por un atacante visitado por el nodo volviera a vincular el DNS para la API del mismo nivel a un servidor DNS controlado por el atacante y luego realizar solicitudes de API del mismo nivel en el cliente, incluido el acceso a las variables de entorno Tailscale del nodo. Un atacante con acceso a la API del mismo nivel en un nodo podr\u00eda usar ese acceso para leer las variables de entorno del nodo, incluidas las credenciales o secretos almacenados en las variables de entorno. Esto puede incluir claves de autenticaci\u00f3n de Tailscale, que luego podr\u00edan usarse para agregar nuevos nodos a la red trasera del usuario. El acceso a la API de pares tambi\u00e9n podr\u00eda usarse para conocer otros nodos en la tailnet o enviar archivos a trav\u00e9s de Taildrop. Todos los clientes de Tailscale anteriores a la versi\u00f3n v1.32.3 se ven afectados. Actualice a v1.32.3 o posterior para solucionar el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":6.0}],\"cvssMetricV30\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.32.3\",\"matchCriteriaId\":\"F2CCEDE3-89FA-4B6C-9BDA-4045A0090908\"}]}]}],\"references\":[{\"url\":\"https://emily.id.au/tailscale\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tailscale.com/security-bulletins/#ts-2022-005\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://emily.id.au/tailscale\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tailscale.com/security-bulletins/#ts-2022-005\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://emily.id.au/tailscale\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://tailscale.com/security-bulletins/#ts-2022-005\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:56:38.535Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41925\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:41:13.012397Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:41:15.210Z\"}}], \"cna\": {\"title\": \"Tailscale daemon is vulnerable to information disclosure via CSRF\", \"source\": {\"advisory\": \"GHSA-qccm-wmcq-pwr6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"CHANGED\", \"version\": \"3.0\", \"baseScore\": 3.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"tailscale\", \"product\": \"tailscale\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.32.3\"}]}], \"references\": [{\"url\": \"https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6\"}, {\"url\": \"https://emily.id.au/tailscale\"}, {\"url\": \"https://tailscale.com/security-bulletins/#ts-2022-005\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-11-23T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-41925\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T16:01:34.072Z\", \"dateReserved\": \"2022-09-30T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-11-23T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.