Skip navigation
1 2 3 Previous Next

Security Bulletins

168 posts

Highest overall severity: Medium


Summary:

Users on Windows can use Microsoft's Certificate Manager to disable certificate capabilities. For example, users can disable Server Authentication on a certificate in Certificate Manager. This class of changes does not update the fields, extensions, or properties of the underlying certificate. Rather, the changes made in Certificate Manager are managed by the operating system and intended to override the same values that are contained within the certificate itself. Tableau Desktop complies only with the capabilities as defined on the certificate and ignores the capabilities specified by the operating system configuration.


Impact:

Tableau Desktop will use a valid certificate that is in the Windows trust store even if the certifcate capabilities may be otherwise disabled in Certificate Manager.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - 6.8 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Desktop on Windows 10.5 through 10.5.26
  • Tableau Desktop on Windows 2018.1 through 2018.1.23
  • Tableau Desktop on Windows 2018.2 through 2018.2.20
  • Tableau Desktop on Windows 2018.3 through 2018.3.17
  • Tableau Desktop on Windows 2019.1 through 2019.1.15
  • Tableau Desktop on Windows 2019.2 through 2019.2.11
  • Tableau Desktop on Windows 2019.3 through 2019.3.7
  • Tableau Desktop on Windows 2019.4 through 2019.4.6
  • Tableau Desktop on Windows 2020.1 through 2020.1.3
  • Tableau Desktop on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Desktop on Windows 10.5.27
  • Tableau Desktop on Windows 2018.1.24
  • Tableau Desktop on Windows 2018.2.21
  • Tableau Desktop on Windows 2018.3.18
  • Tableau Desktop on Windows 2019.1.16
  • Tableau Desktop on Windows 2019.2.12
  • Tableau Desktop on Windows 2019.3.8
  • Tableau Desktop on Windows 2019.4.7
  • Tableau Desktop on Windows 2020.1.4


Tableau Bridge (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - 6.8 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - 6.8 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - 6.8 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:

Highest overall severity: Medium


Summary:

Various memory corruption issues exist in Tableau products.


Impact:

An attacker exploiting this vulnerability may be able to cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H - 5.3 Medium
Product Specific Notes: An authenticated user that is able to publish a workbook to Tableau Server may trigger this vulnerability.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.26
  • Tableau Server on Linux 2018.1 through 2018.1.23
  • Tableau Server on Linux 2018.2 through 2018.2.20
  • Tableau Server on Linux 2018.3 through 2018.3.17
  • Tableau Server on Linux 2019.1 through 2019.1.15
  • Tableau Server on Linux 2019.2 through 2019.2.11
  • Tableau Server on Linux 2019.3 through 2019.3.7
  • Tableau Server on Linux 2019.4 through 2019.4.6
  • Tableau Server on Linux 2020.1 through 2020.1.3
  • Tableau Server on Linux 2020.2 through 2020.2.X (Fix coming in future release)

  • Tableau Server on Windows 10.5 through 10.5.26
  • Tableau Server on Windows 2018.1 through 2018.1.23
  • Tableau Server on Windows 2018.2 through 2018.2.20
  • Tableau Server on Windows 2018.3 through 2018.3.17
  • Tableau Server on Windows 2019.1 through 2019.1.15
  • Tableau Server on Windows 2019.2 through 2019.2.11
  • Tableau Server on Windows 2019.3 through 2019.3.7
  • Tableau Server on Windows 2019.4 through 2019.4.6
  • Tableau Server on Windows 2020.1 through 2020.1.3
  • Tableau Server on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Server on Linux 10.5.27
  • Tableau Server on Linux 2018.1.24
  • Tableau Server on Linux 2018.2.21
  • Tableau Server on Linux 2018.3.18
  • Tableau Server on Linux 2019.1.16
  • Tableau Server on Linux 2019.2.12
  • Tableau Server on Linux 2019.3.8
  • Tableau Server on Linux 2019.4.7
  • Tableau Server on Linux 2020.1.4

  • Tableau Server on Windows 10.5.27
  • Tableau Server on Windows 2018.1.24
  • Tableau Server on Windows 2018.2.21
  • Tableau Server on Windows 2018.3.18
  • Tableau Server on Windows 2019.1.16
  • Tableau Server on Windows 2019.2.12
  • Tableau Server on Windows 2019.3.8
  • Tableau Server on Windows 2019.4.7
  • Tableau Server on Windows 2020.1.4


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H - 4.7 Medium
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability.

Vulnerable versions:

  • Tableau Desktop on Mac 10.5 through 10.5.26
  • Tableau Desktop on Mac 2018.1 through 2018.1.23
  • Tableau Desktop on Mac 2018.2 through 2018.2.20
  • Tableau Desktop on Mac 2018.3 through 2018.3.17
  • Tableau Desktop on Mac 2019.1 through 2019.1.15
  • Tableau Desktop on Mac 2019.2 through 2019.2.11
  • Tableau Desktop on Mac 2019.3 through 2019.3.7
  • Tableau Desktop on Mac 2019.4 through 2019.4.6
  • Tableau Desktop on Mac 2020.1 through 2020.1.3
  • Tableau Desktop on Mac 2020.2 through 2020.2.X (Fix coming in future release)

  • Tableau Desktop on Windows 10.5 through 10.5.26
  • Tableau Desktop on Windows 2018.1 through 2018.1.23
  • Tableau Desktop on Windows 2018.2 through 2018.2.20
  • Tableau Desktop on Windows 2018.3 through 2018.3.17
  • Tableau Desktop on Windows 2019.1 through 2019.1.15
  • Tableau Desktop on Windows 2019.2 through 2019.2.11
  • Tableau Desktop on Windows 2019.3 through 2019.3.7
  • Tableau Desktop on Windows 2019.4 through 2019.4.6
  • Tableau Desktop on Windows 2020.1 through 2020.1.3
  • Tableau Desktop on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Desktop on Mac 10.5.27
  • Tableau Desktop on Mac 2018.1.24
  • Tableau Desktop on Mac 2018.2.21
  • Tableau Desktop on Mac 2018.3.18
  • Tableau Desktop on Mac 2019.1.16
  • Tableau Desktop on Mac 2019.2.12
  • Tableau Desktop on Mac 2019.3.8
  • Tableau Desktop on Mac 2019.4.7
  • Tableau Desktop on Mac 2020.1.4

  • Tableau Desktop on Windows 10.5.27
  • Tableau Desktop on Windows 2018.1.24
  • Tableau Desktop on Windows 2018.2.21
  • Tableau Desktop on Windows 2018.3.18
  • Tableau Desktop on Windows 2019.1.16
  • Tableau Desktop on Windows 2019.2.12
  • Tableau Desktop on Windows 2019.3.8
  • Tableau Desktop on Windows 2019.4.7
  • Tableau Desktop on Windows 2020.1.4


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H - 4.7 Medium
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability.

Vulnerable versions:


Resolved in versions:


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H - 4.7 Medium
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability.

Vulnerable versions:


Resolved in versions:

Highest overall severity: High


Summary:

Various memory corruption issues exist in Tableau products.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 High
Product Specific Notes: An authenticated user who is able to publish a workbook to Tableau Server may trigger this vulnerability.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.26
  • Tableau Server on Linux 2018.1 through 2018.1.23
  • Tableau Server on Linux 2018.2 through 2018.2.20
  • Tableau Server on Linux 2018.3 through 2018.3.17
  • Tableau Server on Linux 2019.1 through 2019.1.15
  • Tableau Server on Linux 2019.2 through 2019.2.11
  • Tableau Server on Linux 2019.3 through 2019.3.7
  • Tableau Server on Linux 2019.4 through 2019.4.6
  • Tableau Server on Linux 2020.1 through 2020.1.3
  • Tableau Server on Linux 2020.2 through 2020.2.X (Fix coming in future release)

  • Tableau Server on Windows 10.5 through 10.5.26
  • Tableau Server on Windows 2018.1 through 2018.1.23
  • Tableau Server on Windows 2018.2 through 2018.2.20
  • Tableau Server on Windows 2018.3 through 2018.3.17
  • Tableau Server on Windows 2019.1 through 2019.1.15
  • Tableau Server on Windows 2019.2 through 2019.2.11
  • Tableau Server on Windows 2019.3 through 2019.3.7
  • Tableau Server on Windows 2019.4 through 2019.4.6
  • Tableau Server on Windows 2020.1 through 2020.1.3
  • Tableau Server on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Server on Linux 10.5.27
  • Tableau Server on Linux 2018.1.24
  • Tableau Server on Linux 2018.2.21
  • Tableau Server on Linux 2018.3.18
  • Tableau Server on Linux 2019.1.16
  • Tableau Server on Linux 2019.2.12
  • Tableau Server on Linux 2019.3.8
  • Tableau Server on Linux 2019.4.7
  • Tableau Server on Linux 2020.1.4

  • Tableau Server on Windows 10.5.27
  • Tableau Server on Windows 2018.1.24
  • Tableau Server on Windows 2018.2.21
  • Tableau Server on Windows 2018.3.18
  • Tableau Server on Windows 2019.1.16
  • Tableau Server on Windows 2019.2.12
  • Tableau Server on Windows 2019.3.8
  • Tableau Server on Windows 2019.4.7
  • Tableau Server on Windows 2020.1.4


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability.

Vulnerable versions:

  • Tableau Desktop on Mac 10.5 through 10.5.26
  • Tableau Desktop on Mac 2018.1 through 2018.1.23
  • Tableau Desktop on Mac 2018.2 through 2018.2.20
  • Tableau Desktop on Mac 2018.3 through 2018.3.17
  • Tableau Desktop on Mac 2019.1 through 2019.1.15
  • Tableau Desktop on Mac 2019.2 through 2019.2.11
  • Tableau Desktop on Mac 2019.3 through 2019.3.7
  • Tableau Desktop on Mac 2019.4 through 2019.4.6
  • Tableau Desktop on Mac 2020.1 through 2020.1.3
  • Tableau Desktop on Mac 2020.2 through 2020.2.X (Fix coming in future release)

  • Tableau Desktop on Windows 10.5 through 10.5.26
  • Tableau Desktop on Windows 2018.1 through 2018.1.23
  • Tableau Desktop on Windows 2018.2 through 2018.2.20
  • Tableau Desktop on Windows 2018.3 through 2018.3.17
  • Tableau Desktop on Windows 2019.1 through 2019.1.15
  • Tableau Desktop on Windows 2019.2 through 2019.2.11
  • Tableau Desktop on Windows 2019.3 through 2019.3.7
  • Tableau Desktop on Windows 2019.4 through 2019.4.6
  • Tableau Desktop on Windows 2020.1 through 2020.1.3
  • Tableau Desktop on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Desktop on Mac 10.5.27
  • Tableau Desktop on Mac 2018.1.24
  • Tableau Desktop on Mac 2018.2.21
  • Tableau Desktop on Mac 2018.3.18
  • Tableau Desktop on Mac 2019.1.16
  • Tableau Desktop on Mac 2019.2.12
  • Tableau Desktop on Mac 2019.3.8
  • Tableau Desktop on Mac 2019.4.7
  • Tableau Desktop on Mac 2020.1.4

  • Tableau Desktop on Windows 10.5.27
  • Tableau Desktop on Windows 2018.1.24
  • Tableau Desktop on Windows 2018.2.21
  • Tableau Desktop on Windows 2018.3.18
  • Tableau Desktop on Windows 2019.1.16
  • Tableau Desktop on Windows 2019.2.12
  • Tableau Desktop on Windows 2019.3.8
  • Tableau Desktop on Windows 2019.4.7
  • Tableau Desktop on Windows 2020.1.4


Tableau Bridge (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:


Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious flow can trigger this vulnerability.

Vulnerable versions:


Resolved in versions:


Tableau Reader (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability.

Vulnerable versions:


Resolved in versions:


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:

Highest overall severity: Medium


Summary:

When the Tableau API Gateway service fails to communicate with the Authentication service the full authentication value will be logged to the Tableau API Gateway log file.


Impact:

The authentication value that is logged can be used to authenticate as a valid user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.2 through 2019.2.11
  • Tableau Server on Linux 2019.3 through 2019.3.7
  • Tableau Server on Linux 2019.4 through 2019.4.6
  • Tableau Server on Linux 2020.1 through 2020.1.3

  • Tableau Server on Windows 2019.2 through 2019.2.11
  • Tableau Server on Windows 2019.3 through 2019.3.7
  • Tableau Server on Windows 2019.4 through 2019.4.6
  • Tableau Server on Windows 2020.1 through 2020.1.3


Resolved in versions:

  • Tableau Server on Linux 2019.2.12
  • Tableau Server on Linux 2019.3.8
  • Tableau Server on Linux 2019.4.7
  • Tableau Server on Linux 2020.1.4

  • Tableau Server on Windows 2019.2.12
  • Tableau Server on Windows 2019.3.8
  • Tableau Server on Windows 2019.4.7
  • Tableau Server on Windows 2020.1.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

The complete SAML AuthN response assertion is stored in the Postgres repository.


Impact:

An administrator with access to the repository can attempt to replay the SAML AuthN response to authenticate to Tableau Server as a different user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.9 Medium
Product Specific Notes: This only affects Tableau Server configured with either Server-wide SAML or SiteSAML.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.26
  • Tableau Server on Linux 2018.1 through 2018.1.23
  • Tableau Server on Linux 2018.2 through 2018.2.20
  • Tableau Server on Linux 2018.3 through 2018.3.17
  • Tableau Server on Linux 2019.1 through 2019.1.15
  • Tableau Server on Linux 2019.2 through 2019.2.11
  • Tableau Server on Linux 2019.3 through 2019.3.7
  • Tableau Server on Linux 2019.4 through 2019.4.6
  • Tableau Server on Linux 2020.1 through 2020.1.3
  • Tableau Server on Linux 2020.2 through 2020.2.X (Fix coming in future release)

  • Tableau Server on Windows 10.5 through 10.5.26
  • Tableau Server on Windows 2018.1 through 2018.1.23
  • Tableau Server on Windows 2018.2 through 2018.2.20
  • Tableau Server on Windows 2018.3 through 2018.3.17
  • Tableau Server on Windows 2019.1 through 2019.1.15
  • Tableau Server on Windows 2019.2 through 2019.2.11
  • Tableau Server on Windows 2019.3 through 2019.3.7
  • Tableau Server on Windows 2019.4 through 2019.4.6
  • Tableau Server on Windows 2020.1 through 2020.1.3
  • Tableau Server on Windows 2020.2 through 2020.2.X (Fix coming in future release)


Resolved in versions:

  • Tableau Server on Linux 10.5.27
  • Tableau Server on Linux 2018.1.24
  • Tableau Server on Linux 2018.2.21
  • Tableau Server on Linux 2018.3.18
  • Tableau Server on Linux 2019.1.16
  • Tableau Server on Linux 2019.2.12
  • Tableau Server on Linux 2019.3.8
  • Tableau Server on Linux 2019.4.7
  • Tableau Server on Linux 2020.1.4

  • Tableau Server on Windows 10.5.27
  • Tableau Server on Windows 2018.1.24
  • Tableau Server on Windows 2018.2.21
  • Tableau Server on Windows 2018.3.18
  • Tableau Server on Windows 2019.1.16
  • Tableau Server on Windows 2019.2.12
  • Tableau Server on Windows 2019.3.8
  • Tableau Server on Windows 2019.4.7
  • Tableau Server on Windows 2020.1.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: High


Summary:

When a background job is cancelled by a server or site administrator an email is sent. The email contains the email address of the user who cancelled the job. In some cases, Tableau Server inserts an incorrect email address in the body of the email. However, the email will be sent to the correct user.


Impact:

The email address contained in the body of the email may be from a different Tableau Server site. In a multi-tenant environment where sites are used to seperate different customers this can expose the email address of a user from a different customer.


Mitigation:

Use the TSM command tsm configuration set -k backgrounder.job_management_cancellation_max_num_users_notified -v 0 to disable all cancellation emails.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - 7.7 High
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.4 through 2019.4.5
  • Tableau Server on Linux 2020.1 through 2020.1.2

  • Tableau Server on Windows 2019.4 through 2019.4.5
  • Tableau Server on Windows 2020.1 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server does not invalidate user sessions when users logout.


Impact:

An attacker with the old session cookie may be able to use it for certain requests before the cookie expires.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N - 4.2 Medium
Product Specific Notes: By default, sessions are set to expire in 4 hours.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.X - will not be fixed
  • Tableau Server on Linux 2018.1.0 through 2018.1.X - will not be fixed
  • Tableau Server on Linux 2018.2.0 through 2018.2.X - will not be fixed
  • Tableau Server on Linux 2018.3.0 through 2018.3.X - will not be fixed
  • Tableau Server on Linux 2019.1.0 through 2019.1.14
  • Tableau Server on Linux 2019.2.0 through 2019.2.10
  • Tableau Server on Linux 2019.3.0 through 2019.3.6
  • Tableau Server on Linux 2019.4.0 through 2019.4.5
  • Tableau Server on Linux 2020.1.0 through 2020.1.2

  • Tableau Server on Windows 10.5 through 10.X - will not be fixed
  • Tableau Server on Windows 2018.1.0 through 2018.1.X - will not be fixed
  • Tableau Server on Windows 2018.2.0 through 2018.2.X - will not be fixed
  • Tableau Server on Windows 2018.3.0 through 2018.3.X - will not be fixed
  • Tableau Server on Windows 2019.1.0 through 2019.1.14
  • Tableau Server on Windows 2019.2.0 through 2019.2.10
  • Tableau Server on Windows 2019.3.0 through 2019.3.6
  • Tableau Server on Windows 2019.4.0 through 2019.4.5
  • Tableau Server on Windows 2020.1.0 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 2019.1.15
  • Tableau Server on Linux 2019.2.11
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 2019.1.15
  • Tableau Server on Windows 2019.2.11
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

In a scenario with locked projects (e.g., the setting “Apply to nested folders” is not selected) the permissions displayed on workbooks may not appear to correlate with actual permissions. Changing permissions in this scenario may trigger an indexing issue that displays the incorrect permissions.


Impact:

Some workbook names will be visible to users that no longer have access. However, when attempting to open the workbook users will be denied access based on the correct permissions. No underlying data is accessible. Conversely, in a case where additional permissions were granted, these workbooks will not be visible to users who now have access.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AVV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2020.1 through 2020.1.2

  • Tableau Server on Windows 2020.1 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the final destination URL in a certain error page.


Impact:

A Tableau Server user that clicks on a malicious link will be redirected to an attacker controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.26
  • Tableau Server on Linux 2018.1.0 through 2018.1.22
  • Tableau Server on Linux 2018.2.0 through 2018.2.19
  • Tableau Server on Linux 2018.3.0 through 2018.3.16
  • Tableau Server on Linux 2019.1.0 through 2019.1.14
  • Tableau Server on Linux 2019.2.0 through 2019.2.10
  • Tableau Server on Linux 2019.3.0 through 2019.3.6
  • Tableau Server on Linux 2019.4.0 through 2019.4.5
  • Tableau Server on Linux 2020.1.0 through 2020.1.2

  • Tableau Server on Windows 10.5.0 through 10.5.26
  • Tableau Server on Windows 2018.1.0 through 2018.1.22
  • Tableau Server on Windows 2018.2.0 through 2018.2.19
  • Tableau Server on Windows 2018.3.0 through 2018.3.16
  • Tableau Server on Windows 2019.1.0 through 2019.1.14
  • Tableau Server on Windows 2019.2.0 through 2019.2.10
  • Tableau Server on Windows 2019.3.0 through 2019.3.6
  • Tableau Server on Windows 2019.4.0 through 2019.4.5
  • Tableau Server on Windows 2020.1.0 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 10.5.27
  • Tableau Server on Linux 2018.1.23
  • Tableau Server on Linux 2018.2.20
  • Tableau Server on Linux 2018.3.17
  • Tableau Server on Linux 2019.1.15
  • Tableau Server on Linux 2019.2.11
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 20.5.27
  • Tableau Server on Windows 2018.1.23
  • Tableau Server on Windows 2018.2.20
  • Tableau Server on Windows 2018.3.17
  • Tableau Server on Windows 2019.1.15
  • Tableau Server on Windows 2019.2.11
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

The tabcmd utility included with Tableau Server does not properly validate the host name when establishing a TLS connection.


Impact:

A Tableau Server instance that presents a certificate with an incorrect host name (but is an otherwise valid certificate) will be trusted by tabcmd.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - 6.8 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.25
  • Tableau Server on Linux 2018.1 through 2018.1.22
  • Tableau Server on Linux 2018.2 through 2018.2.19
  • Tableau Server on Linux 2018.3 through 2018.3.16
  • Tableau Server on Linux 2019.1 through 2019.1.14
  • Tableau Server on Linux 2019.2 through 2019.2.10
  • Tableau Server on Linux 2019.3 through 2019.3.6
  • Tableau Server on Linux 2019.4 through 2019.4.5
  • Tableau Server on Linux 2020.1 through 2020.1.2

  • Tableau Server on Windows 10.5 through 10.5.25
  • Tableau Server on Windows 2018.1 through 2018.1.22
  • Tableau Server on Windows 2018.2 through 2018.2.19
  • Tableau Server on Windows 2018.3 through 2018.3.16
  • Tableau Server on Windows 2019.1 through 2019.1.14
  • Tableau Server on Windows 2019.2 through 2019.2.10
  • Tableau Server on Windows 2019.3 through 2019.3.6
  • Tableau Server on Windows 2019.4 through 2019.4.5
  • Tableau Server on Windows 2020.1 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 10.5.26
  • Tableau Server on Linux 2018.1.23
  • Tableau Server on Linux 2018.2.20
  • Tableau Server on Linux 2018.3.17
  • Tableau Server on Linux 2019.1.15
  • Tableau Server on Linux 2019.2.11
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 10.5.26
  • Tableau Server on Windows 2018.1.23
  • Tableau Server on Windows 2018.2.20
  • Tableau Server on Windows 2018.3.17
  • Tableau Server on Windows 2019.1.15
  • Tableau Server on Windows 2019.2.11
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: High


Summary:

The tabcmd utility included with Tableau Server uses an insecure XML parser.


Impact:

Using tabcmd to connect to a malicious Tableau Server host could allow for Denial of Service attacks and arbitrary file reads on the host running tabcmd.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N - 8.1 High
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.25
  • Tableau Server on Linux 2018.1 through 2018.1.22
  • Tableau Server on Linux 2018.2 through 2018.2.19
  • Tableau Server on Linux 2018.3 through 2018.3.16
  • Tableau Server on Linux 2019.1 through 2019.1.14
  • Tableau Server on Linux 2019.2 through 2019.2.10
  • Tableau Server on Linux 2019.3 through 2019.3.6
  • Tableau Server on Linux 2019.4 through 2019.4.5
  • Tableau Server on Linux 2020.1 through 2020.1.2

  • Tableau Server on Windows 10.5 through 10.5.25
  • Tableau Server on Windows 2018.1 through 2018.1.22
  • Tableau Server on Windows 2018.2 through 2018.2.19
  • Tableau Server on Windows 2018.3 through 2018.3.16
  • Tableau Server on Windows 2019.1 through 2019.1.14
  • Tableau Server on Windows 2019.2 through 2019.2.10
  • Tableau Server on Windows 2019.3 through 2019.3.6
  • Tableau Server on Windows 2019.4 through 2019.4.5
  • Tableau Server on Windows 2020.1 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 10.5.26
  • Tableau Server on Linux 2018.1.23
  • Tableau Server on Linux 2018.2.20
  • Tableau Server on Linux 2018.3.17
  • Tableau Server on Linux 2019.1.15
  • Tableau Server on Linux 2019.2.11
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 10.5.26
  • Tableau Server on Windows 2018.1.23
  • Tableau Server on Windows 2018.2.20
  • Tableau Server on Windows 2018.3.17
  • Tableau Server on Windows 2019.1.15
  • Tableau Server on Windows 2019.2.11
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server discloses the command to start ActiveMQ server in the output of the ps command. The output includes the password to the SSL keystore.


Impact:

An attacker exploiting this vulnerability is able to decrypt the SSL keystore file.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.5 Medium
Product Specific Notes: This only happens when Tableau Server is upgraded from 2019.4.X to a higher version

Vulnerable versions:

  • Tableau Server on Linux 2019.4.0 through 2019.4.5
  • Tableau Server on Linux 2020.1.0 through 2020.1.2

  • Tableau Server on Windows 2019.4.0 through 2019.4.5
  • Tableau Server on Windows 2020.1.0 through 2020.1.2


Resolved in versions:

  • Tableau Server on Linux 2019.4.6
  • Tableau Server on Linux 2020.1.3

  • Tableau Server on Windows 2019.4.6
  • Tableau Server on Windows 2020.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: High


Summary:

Various memory corruption issues exist in Tableau products.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 High
Product Specific Notes: An authenticated user who is able to publish a workbook to Tableau Server can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.24
  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 10.4.0 through 10.4.25
  • Tableau Server on Windows 10.5.0 through 10.5.24
  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 10.5.25
  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 10.4.26
  • Tableau Server on Windows 10.5.25
  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Desktop on Mac 10.4.0 through 10.4.25
  • Tableau Desktop on Mac 10.5.0 through 10.5.24
  • Tableau Desktop on Mac 2018.1.0 through 2018.1.21
  • Tableau Desktop on Mac 2018.2.0 through 2018.2.18
  • Tableau Desktop on Mac 2018.3.0 through 2018.3.15
  • Tableau Desktop on Mac 2019.1.0 through 2019.1.13
  • Tableau Desktop on Mac 2019.2.0 through 2019.2.9
  • Tableau Desktop on Mac 2019.3.0 through 2019.3.5
  • Tableau Desktop on Mac 2019.4.0 through 2019.4.4
  • Tableau Desktop on Mac 2020.1.0 through 2020.1.1

  • Tableau Desktop on Windows 10.4.0 through 10.4.25
  • Tableau Desktop on Windows 10.5.0 through 10.5.24
  • Tableau Desktop on Windows 2018.1.0 through 2018.1.21
  • Tableau Desktop on Windows 2018.2.0 through 2018.2.18
  • Tableau Desktop on Windows 2018.3.0 through 2018.3.15
  • Tableau Desktop on Windows 2019.1.0 through 2019.1.13
  • Tableau Desktop on Windows 2019.2.0 through 2019.2.9
  • Tableau Desktop on Windows 2019.3.0 through 2019.3.5
  • Tableau Desktop on Windows 2019.4.0 through 2019.4.4
  • Tableau Desktop on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Desktop on Mac 10.4.26
  • Tableau Desktop on Mac 10.5.25
  • Tableau Desktop on Mac 2018.1.22
  • Tableau Desktop on Mac 2018.2.19
  • Tableau Desktop on Mac 2018.3.16
  • Tableau Desktop on Mac 2019.1.14
  • Tableau Desktop on Mac 2019.2.10
  • Tableau Desktop on Mac 2019.3.6
  • Tableau Desktop on Mac 2019.4.5
  • Tableau Desktop on Mac 2020.1.2

  • Tableau Desktop on Windows 10.4.26
  • Tableau Desktop on Windows 10.5.25
  • Tableau Desktop on Windows 2018.1.22
  • Tableau Desktop on Windows 2018.2.19
  • Tableau Desktop on Windows 2018.3.16
  • Tableau Desktop on Windows 2019.1.14
  • Tableau Desktop on Windows 2019.2.10
  • Tableau Desktop on Windows 2019.3.6
  • Tableau Desktop on Windows 2019.4.5
  • Tableau Desktop on Windows 2020.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious flow can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Prep on Mac 2018.1.1 through 2020.1.5

  • Tableau Prep on Windows 2018.1.1 through 2020.1.5


Resolved in versions:

  • Tableau Prep on Mac 2018.1.1 through 2020.2.1

  • Tableau Prep on Windows 2018.1.1 through 2020.2.1


Tableau Reader(Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Reader on Mac 10.4 through 2020.1.0

  • Tableau Reader on Windows 10.4 through 2020.1.0


Resolved in versions:

  • Tableau Reader on Mac 2020.1.2

  • Tableau Reader on Windows 2020.1.2


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 High
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Public Desktop on Mac 10.4 through 2020.1.0

  • Tableau Public Desktop on Windows 10.4 through 2020.1.0


Resolved in versions:

  • Tableau Public Desktop on Mac 2020.1.2

  • Tableau Public Desktop on Windows 2020.1.2

Highest overall severity: Medium


Summary:

When a Data Driven Alert triggers, Tableau Server fails to perform an access check on  each user to whom the alert is being sent.


Impact:

A user that has been added to the Data Driven Alert but who does not have access to the view will receive a thumbnail of the view.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the final destination URL during certain API calls.


Impact:

A Tableau Server user that clicks on a malicious link will be redirected to an attacker controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.24
  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 10.4.0 through 10.4.25
  • Tableau Server on Windows 10.5.0 through 10.5.24
  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 10.5.25
  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 10.4.26
  • Tableau Server on Windows 10.5.25
  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.