Skip navigation
1 2 3 Previous Next

Security Bulletins

86 posts

Highest overall severity: High

 

Summary:

A user connecting to a malicious Tableau Server instance with Tableau Prep Builder can trigger a vulnerability in the version of Electron used by Tableau Prep Builder. Electron is an open-source development framework.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Tableau Prep Builder (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5 High
Product specific notes:

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

The psqlODBC driver that is included with Tableau products contains a heap-based buffer overflow. We recommend that all Tableau users upgrade to psqlODBC 9.6.5.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Mitigation:

Windows: For Tableau products running on Windows the latest PostgreSQL ODBC driver should be installed.
Mac: For Tableau products running on Mac the latest PostgreSQL ODBC driver should be installed.
Linux: For Tableau products running on Linux follow these directions:


On CentOS and RHEL:

Download the .rpm file.
To install the driver, run the following command:
    sudo yum install tableau-postgresql-odbc-09.06.0500-1.x86_64.rpm

On Ubuntu:

Download the .deb file.
To install the driver, run the following command:
    sudo gdebi tableau-postgresql-odbc_09.06.0500-2_amd64.deb

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
        An authenticated user who has permissions to publish a workbook to Tableau Server can trigger this vulnerability.

 

Tableau Server on Linux does not include the PostgreSQL ODBC driver by default, and is therefore not listed below. However, the PostgreSQL driver is required for Admin View functionality and is often installed by the administrator as part of the deployment process. If the driver has been installed then Tableau Server on Linux is vulnerable.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.22

Support for Tableau Sever on Windows 10.0 ended on Feb, 19, 2019 (Supported Versions)

No new releases of 10.0 are planned. It is recommended to apply the above mitigation.

 

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:

Opening a malicious workbook can trigger this vulnerability.

 

Tableau Desktop on Windows includes the 32-bit version of the psqlODBC driver. It is recommended that this driver be uninstalled. To uninstall the 32-bit version of the driver use Add/Remove Programs and uninstall 'psqlODBC'.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (Fix coming in future release)

 

  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (Fix coming in future release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4

  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4

 

Tableau Bridge (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
      Opening a malicious data source can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep Builder (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
      Opening a malicious flow can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

Highest overall severity: High

 

Summary:

A heap based buffer overflow vulnerability exists in Tableau products.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
      An authenticated user that is able to publish a workbook to Tableau Server can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.21
  • Tableau Server on Windows 10.1 through 10.1.21
  • Tableau Server on Windows 10.2 through 10.2.17
  • Tableau Server on Windows 10.3 through 10.3.17
  • Tableau Server on Windows 10.4 through 10.4.13
  • Tableau Server on Windows 10.5 through 10.5.12
  • Tableau Server on Windows 2018.1 through 2018.1.9
  • Tableau Server on Windows 2018.2 through 2018.2.6
  • Tableau Server on Windows 2018.3 through 2018.3.3
  • Tableau Server on Windows 2019.1 through 2019.1.1 (Fix coming in future release)

  • Tableau Server on Linux 10.5 through 10.5.12
  • Tableau Server on Linux 2018.1 through 2018.1.9
  • Tableau Server on Linux 2018.2 through 2018.2.6
  • Tableau Server on Linux 2018.3 through 2018.3.3
  • Tableau Server on Linux 2019.1 through 2019.1.1 (Fix coming in future release)

 

Resolved in versions:

  • Tableau Server on Windows 10.0.22
  • Tableau Server on Windows 10.1.22
  • Tableau Server on Windows 10.2.18
  • Tableau Server on Windows 10.3.18
  • Tableau Server on Windows 10.4.14
  • Tableau Server on Windows 10.5.13
  • Tableau Server on Windows 2018.1.10
  • Tableau Server on Windows 2018.2.7
  • Tableau Server on Windows 2018.3.4

  • Tableau Server on Linux 10.5.13
  • Tableau Server on Linux 2018.1.10
  • Tableau Server on Linux 2018.2.7
  • Tableau Server on Linux 2018.3.4

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
      Opening a malicious workbook can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (Fix coming in future release)

  • Tableau Desktop on Mac 10.0 through 10.0.21
  • Tableau Desktop on Mac 10.1 through 10.1.21
  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (Fix coming in future release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4

  • Tableau Desktop on Mac 10.0.22
  • Tableau Desktop on Mac 10.1.22
  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4

 

Tableau Bridge (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.5 High

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious flows may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious workbooks may trigger this vulnerability

 

Vulnerable versions:

 

Acknowledgement:
This vulnerability was discovered by Kushal Arvind Shah of Fortinet’s FortiGuard Labs.

Highest overall severity: High

 

Summary:

Workbooks connected to published data sources that leverage user functions may not properly filter data the first time a view is loaded due to a caching issue.

 

Impact:

A user with access to a published workbook or data source can see unfiltered data for another user resulting in information disclosure within that same workbook. A malicious user cannot directly force this to happen.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/CR:H - 7.5 High

Product specific notes:

This vulnerability affects the user filter functionality of Tableau server.

 

If you have already installed Tableau Server 2019.1.0 and plan to upgrade to 2019.1.1, you will need to take the following steps before you upgrade to ensure your cache is properly cleared:

tsm stop

tsm maintenance cleanup -r

install the new version 2019.1.1 and initiate the upgrade script to complete the upgrade.

 

If you have already installed Tableau Server 2019.1.0 and do not plan to upgrade to 2019.1.1, you will need to take the following steps to ensure your cache is properly cleared and the logical query cache is disabled:

tsm stop

tsm maintenance cleanup -r

tsm configuration set -k features.LogicalQueryCache -v false

tsm pending-changes apply

tsm start

 

For Tableau Mobile Views

If a Tableau Server version 2019.1.0 has been installed with offline favorites enabled, then Tableau Mobile clients connecting to that server may display incorrect data even if you have upgraded Tableau Server, or have already applied the mitigations referenced in this bulletin. We recommend that you run the removeStaleSheet script to determine if there are images that need to be regenerated. In the case where images need to be regenerated, the script will prompt you to force Tableau Server to regenerate the Tableau Mobile offline views.

 

To run the removeStaleSheet script:

 

1. Download the WINDOWSremoveStaleSheet or LINUXremoveStaleSheet script attached to this post and save it to the Tableau Server machine.

2. Open a command line on the Tableau Server machine.

3. Log into TSM.

4. Run the the WINDOWSremoveStaleSheet or LINUXremoveStaleSheet script.

 

 

Vulnerable versions:

  • Tableau Server on Windows 2019.1.0

 

  • Tableau Server on Linux 2019.1.0

 

Resolved in versions:

  • Tableau Server on Windows 2019.1.1

  • Tableau Server on Linux 2019.1.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

Tableau products use the ICU library when processing data from workbooks and datasources.
The following CVEs have been addressed:

 

Impact:

An attacker exploiting these vulnerabilities may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 - High

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.21
  • Tableau Server on Windows 10.1 through 10.1.20
  • Tableau Server on Windows 10.2 through 10.2.16
  • Tableau Server on Windows 10.3 through 10.3.16
  • Tableau Server on Windows 10.4 through 10.4.12
  • Tableau Server on Windows 10.5 through 10.5.11
  • Tableau Server on Windows 2018.1 through 2018.1.8
  • Tableau Server on Windows 2018.2 through 2018.2.5
  • Tableau Server on Windows 2018.3 through 2018.3.2

  • Tableau Server on Linux 10.5 through 10.5.11
  • Tableau Server on Linux 2018.1 through 2018.1.8
  • Tableau Server on Linux 2018.2 through 2018.2.5
  • Tableau Server on Linux 2018.3 through 2018.3.2

 

Resolved in versions:

  • Tableau Server on Windows 10.0.22
  • Tableau Server on Windows 10.1.21
  • Tableau Server on Windows 10.2.17
  • Tableau Server on Windows 10.3.17
  • Tableau Server on Windows 10.4.13
  • Tableau Server on Windows 10.5.12
  • Tableau Server on Windows 2018.1.9
  • Tableau Server on Windows 2018.2.6
  • Tableau Server on Windows 2018.3.3

  • Tableau Server on Linux 10.5.12
  • Tableau Server on Linux 2018.1.9
  • Tableau Server on Linux 2018.2.6
  • Tableau Server on Linux 2018.3.3

 

Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High

Product specific notes:
      Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.20
  • Tableau Desktop on Windows 10.2 through 10.2.16
  • Tableau Desktop on Windows 10.3 through 10.3.16
  • Tableau Desktop on Windows 10.4 through 10.4.12
  • Tableau Desktop on Windows 10.5 through 10.5.11
  • Tableau Desktop on Windows 2018.1 through 2018.1.8
  • Tableau Desktop on Windows 2018.2 through 2018.2.5
  • Tableau Desktop on Windows 2018.3 through 2018.3.2

  • Tableau Desktop on Mac 10.0 through 10.0.21
  • Tableau Desktop on Mac 10.1 through 10.1.20
  • Tableau Desktop on Mac 10.2 through 10.2.16
  • Tableau Desktop on Mac 10.3 through 10.3.16
  • Tableau Desktop on Mac 10.4 through 10.4.12
  • Tableau Desktop on Mac 10.5 through 10.5.11
  • Tableau Desktop on Mac 2018.1 through 2018.1.8
  • Tableau Desktop on Mac 2018.2 through 2018.2.5
  • Tableau Desktop on Mac 2018.3 through 2018.3.2

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.21
  • Tableau Desktop on Windows 10.2.17
  • Tableau Desktop on Windows 10.3.17
  • Tableau Desktop on Windows 10.4.13
  • Tableau Desktop on Windows 10.5.12
  • Tableau Desktop on Windows 2018.1.9
  • Tableau Desktop on Windows 2018.2.6
  • Tableau Desktop on Windows 2018.3.3

  • Tableau Desktop on Mac 10.0.22
  • Tableau Desktop on Mac 10.1.21
  • Tableau Desktop on Mac 10.2.17
  • Tableau Desktop on Mac 10.3.17
  • Tableau Desktop on Mac 10.4.13
  • Tableau Desktop on Mac 10.5.12
  • Tableau Desktop on Mac 2018.1.9
  • Tableau Desktop on Mac 2018.2.6
  • Tableau Desktop on Mac 2018.3.3

 

Tableau Bridge (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.5 High

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20183.19.0115.1143

 

Resolved in versions:

  • Tableau Bridge 20191.19.0204.1456

 

Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious flows may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep 2018.1.1 through 2019.1.1

 

Resolved in versions:

  • Tableau Prep 2019.1.2

 

Tableau Reader (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Reader 10.0 through 2018.3.2

 

Resolved in versions:

  • Tableau Reader 2018.3.3

 

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
      Opening malicious workbooks may trigger this vulnerability

 

Vulnerable versions:

  • Tableau Public Desktop on Windows 10.0 through 2018.3.2

  • Tableau Public Desktop on Mac 10.0 through 2018.3.2

 

Resolved in versions:

  • Tableau Public Desktop on Windows 2018.3.3

 

  • Tableau Public Desktop on Mac 2018.3.3

Highest overall severity: Medium

 

Summary:

Tableau Server services log configuration values at startup. These log files can contain sensitive configuration values. For example, if Tableau Server is configured for SSL and the associated private key uses a passphrase, then the passphrase will appear in the log files.

 

Impact:

Malicious users with access to the Tableau Server log files can learn sensitive configuration values.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.21
  • Tableau Server on Windows 10.1 through 10.1.20
  • Tableau Server on Windows 10.2 through 10.2.16
  • Tableau Server on Windows 10.3 through 10.3.16
  • Tableau Server on Windows 10.4 through 10.4.12
  • Tableau Server on Windows 10.5 through 10.5.11
  • Tableau Server on Windows 2018.1 through 2018.1.8
  • Tableau Server on Windows 2018.2 through 2018.2.5
  • Tableau Server on Windows 2018.3 through 2018.3.2

  • Tableau Server on Linux 10.5 through 10.5.11
  • Tableau Server on Linux 2018.1 through 2018.1.8
  • Tableau Server on Linux 2018.2 through 2018.2.5
  • Tableau Server on Linux 2018.3 through 2018.3.2

 

Resolved in versions:

 

  • Tableau Server on Windows 10.0.22
  • Tableau Server on Windows 10.1.21
  • Tableau Server on Windows 10.2.17
  • Tableau Server on Windows 10.3.17
  • Tableau Server on Windows 10.4.13
  • Tableau Server on Windows 10.5.12
  • Tableau Server on Windows 2018.1.9
  • Tableau Server on Windows 2018.2.6
  • Tableau Server on Windows 2018.3.3

  • Tableau Server on Linux 10.5.12
  • Tableau Server on Linux 2018.1.9
  • Tableau Server on Linux 2018.2.6
  • Tableau Server on Linux 2018.3.3

 

Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not Affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Severity: Medium

 

Summary: The ziplogs command (tsm maintenance ziplogs) is used by Tableau Server administrators to package configuration information and log files to send to Tableau Support. Unneeded, but sensitive information is contained in these zip archives.

 

Impact: Running the ziplogs command on a Tableau Server that is configured with external SSL will generate an archive file that includes the private key for the external SSL certificate.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 10.5 through 10.5.9

Tableau Server on Linux 2018.1.0 through 2018.1.6

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 10.5.10

Tableau Server on Linux 2018.1.7

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: Medium

 

Summary: A malicious workbook that has a refresh job scheduled on it can cause the Backgrounder service to crash and fail to process any subsequent jobs.

 

Impact: The Backgrounder service will repeatedly crash and no new jobs will be processed.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: Medium

 

Summary: The cookie used to identify the Tableau Services Manager (TSM) Web UI session does not expire if a browser window to the web interface remains open.

 

Impact: This vulnerability increases the risk that an unattended computer where the TSM web UI is left open will host a valid session. The open valid session allows users to perform administrative actions on the Tableau Server installation.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: High

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. Alternatively, the malicious user must convince a victim to open the affected workbook in Tableau Desktop.

 

Impact: A memory corruption error can occur. This memory corruption might result in arbitrary code execution or a crash.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.3.0

Tableau Server on Linux 2018.3.0

 

Tableau Desktop 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.3.1

Tableau Server on Linux 2018.3.1

 

Tableau Desktop 2018.3.1

Severity: Medium

 

Summary: Tableau Server and Tableau Desktop may misinterpret part of a password as a delimiter and fail to remove the entire password when writing log statements. Tableau writes logs to access-controlled areas of the files system.

 

Impact: A password used to connect with an ODBC-based connector may result in partial password disclosure. If the password contains one or more certain special characters, Tableau will interpret the characters as delimiters. In this case, a portion of the password will be written in cleartext to the application logs. An attacker with access to these log files will have access to a portion of the password, thereby increasing the probability of a successful brute-force attack on the database.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.15

Tableau Server 10.4 through 10.4.11

Tableau Server 10.5 through 10.5.8

Tableau Server 2018.1 through 2018.1.5

Tableau Server 2018.2 through 2018.2.2

Tableau Server 2018.3

 

Tableau Server on Linux 10.5 through 10.5.8

Tableau Server on Linux 2018.1 through 2018.1.5

Tableau Server on Linux 2018.2 through 2018.2.2

 

Tableau Desktop 10.0 through 10.0.20

Tableau Desktop 10.1 through 10.1.19

Tableau Desktop 10.2 through 10.2.15

Tableau Desktop 10.3 through 10.3.15

Tableau Desktop 10.4 through 10.4.11

Tableau Desktop 10.5 through 10.5.8

 

Tableau Bridge 2018.2 through 2018.2.0.18.0918.0707

 

Tableau Prep 2018.1.1 through 2018.3.1

              

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.16

Tableau Server 10.4.12

Tableau Server 10.5.9

Tableau Server 2018.1.6

Tableau Server 2018.2.3

Tableau Server 2018.3.1

 

Tableau Server on Linux 10.5.9

Tableau Server on Linux 2018.1.6

Tableau Server on Linux 2018.2.3

 

Tableau Desktop 10.0.21

Tableau Desktop 10.1.20

Tableau Desktop 10.2.16

Tableau Desktop 10.3.16

Tableau Desktop 10.4.12

Tableau Desktop 10.5.9

Tableau Desktop 2018.1.6

Tableau Desktop 2018.2.3

 

Tableau Bridge 2018.3.0.18.1016.2147

 

Tableau Prep 2018.3.2

Severity: High

 

Summary: Tableau Server makes use of the Java JRE. The July 2018 updates to the Java JRE contained an unspecified High severity issue (CVE-2018-2942) that might present a risk to Tableau Server.

 

Impact: From http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA

Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

 

This vulnerability may allow for the compromise of the integrity, confidentiality and availability of Tableau Server.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.15

Tableau Server 10.4 through 10.4.11

Tableau Server 10.5 through 10.5.8

Tableau Server 2018.1 through 2018.1.5

Tableau Server 2018.2 through 2018.2.2

Tableau Server on Linux 10.5 through 10.5.8

Tableau Server on Linux 2018.1 through 2018.1.5

Tableau Server on Linux 2018.2 through 2018.2.2

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.16

Tableau Server 10.4.12

Tableau Server 10.5.9

Tableau Server 2018.1.6

Tableau Server 2018.2.3

Tableau Server on Linux 10.5.9

Tableau Server on Linux 2018.1.6

Tableau Server on Linux 2018.2.3

Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.14

Tableau Server 10.4 through 10.4.10

Tableau Server 10.5 through 10.5.7

Tableau Server 2018.1 through 2018.1.4

Tableau Server 2018.2 through 2018.2.1

Tableau Server on Linux 10.5 through 10.5.7

Tableau Server on Linux 2018.1 through 2018.1.4

Tableau Server on Linux 2018.2 through 2018.2.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.15

Tableau Server 10.4.11

Tableau Server 10.5.8

Tableau Server 2018.1.5

Tableau Server 2018.2.2

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.2

Severity: Medium

 

Summary: A Tableau Server configured with “External SSL” enabled that receives a specially crafted HTTP request on the non-SSL port will respond with a redirect to the HTTPS port. The redirect will specify the local IP address of the host rather than the hostname.

 

Impact: An internal IP address of the Tableau Server host will be exposed. For Tableau Server instances running on the internet, this vulnerability can expose details of the internal network topology to outside users.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.14

Tableau Server 10.4 through 10.4.10

Tableau Server 10.5 through 10.5.7

Tableau Server 2018.1 through 2018.1.4

Tableau Server 2018.2 through 2018.2.1

Tableau Server 2018.3

 

Tableau Server on Linux 10.5 through 10.5.7

Tableau Server on Linux 2018.1 through 2018.1.4

Tableau Server on Linux 2018.2 through 2018.2.1

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.15

Tableau Server 10.4.11

Tableau Server 10.5.8

Tableau Server 2018.1.5

Tableau Server 2018.2.2

Tableau Server 2018.3.1

 

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.2

Severity: High

 

Summary:  The JavaScript engine that runs Dashboard Extensions in Tableau Desktop has a memory corruption issue.

 

Impact: A malicious Dashboard Extension can cause memory corruption and possibly code execution under the privileges of the user that is running Tableau Desktop.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Desktop 2018.2.0

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop 2018.2.2