Skip to content

TAN-2025-029

Tanium addressed an incorrect default permissions vulnerability in Benchmark, Comply, Discover, Partner Integration, Patch, and Performance.

Severity: Medium

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Impact

This vulnerability could allow an authenticated Tanium user with any of the following permissions: [Partner Integration Service Account, Patch Service Account, Benchmark Service Account, Performance Components Manage, Discover Components Manage, Comply Components Manage] to read/write all platform content.

Products Affected

2024H1 Release:

  • Benchmark prior to Update 23 (v2.7.98).

  • Comply prior to Update 23 (v2.24.159).

  • Discover prior to Update 22 (v4.10.118).

  • Partner Integration prior to Update 22 (v1.0.224).

  • Patch prior to Update 23 (v3.17.2300).

  • Performance prior to Update 23 (v1.17.134).

2024H2 Release:

  • Benchmark prior to Update 12 (v2.9.188).

  • Comply prior to Update 12 (v2.29.124).

  • Discover prior to Update 11 (v4.10.118).

  • Partner Integration prior to Update 11 (1.2.33).

  • Patch prior to Update 12 (v3.19.232).

  • Performance prior to Update 12 (v1.21.141).

2025H1 Release:

  • Benchmark prior to Update 6 (v2.12.82).

  • Comply prior to Update 6 (v2.32.155).

  • Discover prior to Update 5 (v4.10.118).

  • Partner Integration prior to Update 5 (v1.3.40).

  • Patch prior to Update 6 (v3.24.137).

  • Performance prior to Update 6 (v1.22.288).

Available Updates

2024H1 Release:

  • Update 23 and later.

2024H2 Release:

  • Update 12 and later.

2025H1 Release:

  • Update 6 and later.

Workaround and Mitigations

None.

Acknowledgements

None.