Skip navigation
1 2 3 Previous Next

Security Bulletins

132 posts

Highest overall severity: Medium


Summary:

When calculating derived permissions on an object, Tableau Server asserts the user's highest access role across all sites. For example, in the case where a given user has different access roles across multiple sites hosted on the same Tableau Server, the process of calculating derived permissions will assert the user's highest access role for other sites on the server.


Impact:

Authenticated users on a site may be able to view content on the same site where the user does not have explicit authorization.


Mitigation:

Derived permissions can be disabled server-wide. For information about disabling derived permissions, see the Tableau Server help topic, "Manage Permissions for External Assets" (Windows | Linux).

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.3 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server may incorrectly calculate derived permissions on views.


Impact:

Information such as workbook, project names, or view names may be disclosed to users without permissions to this content on the same site.


Mitigation:

Derived permissions can be disabled server-wide. For imformation about disabling derived permisions, see the Tableau Server help topic, "Manage Permissions for External Assets" (Windows|Linux).

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes:

This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly construct MDX queries when using filters that are user controlled.


Impact:

Tableau Server may improperly interpet a filter identifier, which may result in a query that fails to complete or a query that runs against a different cube. In cases where the filter is controllable by a user that would not normally be able to make arbitrary queries against the datasource this can lead to information disclosure.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L - 5.9 Medium
Product Specific Notes: Not affected.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

When users attempt to publish workbooks on Tableau Server, they will get a distinctive error message if they attempt to publish a workbook to a project that does not exist. When users attempt to publish to an existing project, they will get a different error message if they do not have permission to publish to that project.


Impact:

A malicious user with publishing access may run a dictionary-style attack with the save-workbook operation to discover project names on Tableau Server.

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page.


Impact:

A Tableau Server user who clicks on a malicious link could initiate a reflected cross-site scripting (XSS) operation with JavaScript, which runs in the client context. Alternatively, a Tableau Server user who clicks on a malicious link could be redirected to an attacker-controlled location.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Summary:

Tableau Server makes use of the FlexNet Publishing (FNP) service to manage software licenses. The FNP service listens on all interfaces. For information about the ports that are used, see Tableau Services Manager Ports. We recommend that you follow item 6, "Restrict access to the server computer and to important directories" of the Tableau Server Security Hardening Checklist (Windows | Linux). Tableau Server is designed to operate in an isolated network. Therefore, if you are running Tableau Server on Linux, configure the host firewall. If you are running Tableau Server on Windows, verify that Windows Firewall is configured.

The following CVEs have been addressed:


Impact:

On Tableau Server on Windows the FNP service, running as process lmgrd, runs as the LocalService account. This account has limited access on the host but does have access to Tableau Server configuration secrets in versions 2018.2.0 and later. In versions 10.3 through 10.5, the FNP service runs as the LocalService account but does not have access to Tableau Server configuration data. On Tableau Server on Linux the FNP service, running as the process lmgrd, runs as the 'tableau' user and has access to all Tableau Server data.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: None

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.20
  • Tableau Server on Linux 2018.1 through 2018.1.17
  • Tableau Server on Linux 2018.2 through 2018.2.14
  • Tableau Server on Linux 2018.3 through 2018.3.11
  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 10.3.0 through 10.3.X - will not be fixed
  • Tableau Server on Windows 10.4.0 through 10.4.21
  • Tableau Server on Windows 10.5.0 through 10.5.20
  • Tableau Server on Windows 2018.1 through 2018.1.17
  • Tableau Server on Windows 2018.2 through 2018.2.14
  • Tableau Server on Windows 2018.3 through 2018.3.11
  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0


Resolved in versions:

  • Tableau Server on Linux 10.5.21
  • Tableau Server on Linux 2018.1.18
  • Tableau Server on Linux 2018.2.15
  • Tableau Server on Linux 2018.3.12
  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.4.22
  • Tableau Server on Windows 10.5.21
  • Tableau Server on Windows 2018.1.18
  • Tableau Server on Windows 2018.2.15
  • Tableau Server on Windows 2018.3.12
  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

Tableau Server fails to validate a flow's creator when running a flow.

 

Impact:

A malicious publisher can run a crafted flow to overwrite other users' datasources.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L - 4.3 Medium
Product Specific Notes:

    This only applies to Tableau Server with the Data Management add-on.

 

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3

  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3

Resolved in versions:

  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

In certain circumstances, a flow may attempt to use the wrong authentication value when connecting to a datasource.

 

Impact:

The flow will fail to run. The authentication values will be sent to the wrong datasource. This can happen in both Tableau Prep Builder and Tableau Prep Conductor.

 


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N - 5.7 Medium

 

Product Specific Notes:

This only affects Tableau Server with the Data Management Add-On. The wrong authentication value can come from a flow published to a different site on Tableau Server than the site that the current flow is published on.

 

Vulnerable versions:

  • Tableau Server on Linux 2019.1.0 through 2019.1.8
  • Tableau Server on Linux 2019.2.0 through 2019.2.4
  • Tableau Server on Linux 2019.3.0 through 2019.3.0

  • Tableau Server on Windows 2019.1.0 through 2019.1.8
  • Tableau Server on Windows 2019.2.0 through 2019.2.4
  • Tableau Server on Windows 2019.3.0 through 2019.3.0

 

Resolved in versions:

  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep Builder (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - 6.5 Medium

 

Product Specific Notes:

A use that opens a malicious flow must authenticate to datasources before this vulnerability can be triggered.

 

Vulnerable versions:

  • Tableau Prep Builder on Mac 2018.1.1 through 2019.3.2

  • Tableau Prep Builder on Windows 2018.1.1 through 2019.3.2

 

Resolved in versions:

  • Tableau Prep Builder on Mac 2019.4.1

 

  • Tableau Prep Builder on Windows 2019.4.1

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

HTML chacaters are not properly encoded in emails sent to users for data-driven Alerts.

 

Impact:

A Tableau user can craft phishing emails to other Tableau Server users.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Low

 

Summary:

The API used to update a user's profile image does not protect the user from cross-site request forgery.

 

Impact:

An attacker who is able to persuade a victim to visit a malicious website can change the victim's profile picture on Tableau Server.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Low
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N - 3.7 Low
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.20
  • Tableau Server on Linux 2018.1 through 2018.1.17
  • Tableau Server on Linux 2018.2 through 2018.2.14
  • Tableau Server on Linux 2018.3 through 2018.3.11
  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 10.5 through 10.5.20
  • Tableau Server on Windows 2018.1 through 2018.1.17
  • Tableau Server on Windows 2018.2 through 2018.2.14
  • Tableau Server on Windows 2018.3 through 2018.3.11
  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 10.5.21
  • Tableau Server on Linux 2018.1.18
  • Tableau Server on Linux 2018.2.15
  • Tableau Server on Linux 2018.3.12
  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.5.21
  • Tableau Server on Windows 2018.1.18
  • Tableau Server on Windows 2018.2.15
  • Tableau Server on Windows 2018.3.12
  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: High

 

Summary:

When creating Box datasources with Web Authoring, certain calls to Box are proxied through Tableau Server. Tableau Server does not properly validate all calls and as a result, malicious calls can be directed to locations other than Box.

 

Impact:

An authenticated Tableau Server user can cause Tableau Server to perform GET requests to arbitrary locations. Information that is authorized for access by Tableau Server (but not for the user) may be returned, resulting in information disclosure.

 

Mitigation:

This vulnerability can be mitigated by setting the features.VizqlServerCORSProxy flag to false.  Setting this flag to false will prevent the creation of new Box datasources in Web Authoring. To set the features.VizqlServerCORSProxy flag to false run the following commands: tsm configuration set -k features.VizqlServerCORSProxy -v false tsm pending-changes apply


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - 7.7 High
Product Specific Notes: None

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

HTML chacaters are not properly encoded in emails sent to users who are tagged in comments.

 

Impact:

A Tableau user can craft phishing emails to other Tableau Server users.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2018.2 through 2018.2.14
  • Tableau Server on Linux 2018.3 through 2018.3.11
  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 2018.2 through 2018.2.14
  • Tableau Server on Windows 2018.3 through 2018.3.11
  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 2018.2.15
  • Tableau Server on Linux 2018.3.12
  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2018.2.15
  • Tableau Server on Windows 2018.3.12
  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

The vizqlserver.script.disabled configuration option has no effect on Tableau Server.

 

Impact:

A Tableau Server instance that has external services configured but script.disabled set to true will still permit workbooks with custom scripts to execute.

 

Mitigation:

No fixes are planned for versions prior to 2019.3.

 

To mitigate this issue remove the port and host names from the configured external service.

 

For Tableau Server on Windows versions 10.3 through 2018.1, run the following commands

tabadmin set vizqlserver.extsvc.host ""

tabadmin set vizqlserver.extsvc.port ""

tabadmin restart

 

For Tableau Server (Windows or Linux) 2018.2 and 2018.3, run the following commands

tsm configuration set -k vizqlserver.extsvc.host -v ""

tsm configuration set -k vizqlserver.extsvc.port -v ""

tsm pending-changes apply

 

For Tableau Server (Windows or Linux) 2019.1 and later, run the following commands

tsm security vizql-extsvc-ssl disable

tsm pending-changes apply

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L - 5.0 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.X - will not be fixed
  • Tableau Server on Linux 2018.1 through 2018.1.X - will not be fixed
  • Tableau Server on Linux 2018.2 through 2018.2.X - will not be fixed
  • Tableau Server on Linux 2018.3 through 2018.3.X - will not be fixed
  • Tableau Server on Linux 2019.1 through 2019.1.X - will not be fixed
  • Tableau Server on Linux 2019.2 through 2019.2.X - will not be fixed
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 10.3 through 10.3.X - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.X - will not be fixed
  • Tableau Server on Windows 10.5 through 10.5.X - will not be fixed
  • Tableau Server on Windows 2018.1 through 2018.1.X - will not be fixed
  • Tableau Server on Windows 2018.2 through 2018.2.X - will not be fixed
  • Tableau Server on Windows 2018.3 through 2018.3.X - will not be fixed
  • Tableau Server on Windows 2019.1 through 2019.1.X - will not be fixed
  • Tableau Server on Windows 2019.2 through 2019.2.X - will not be fixed
  • Tableau Server on Windows 2019.3 through 2019.3.0

 

Resolved in versions:

  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.3.1

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

When importing a site into a Tableau Server 2019.2 instance that is running a version prior to 2019.2.3, the permissions templates applied to the content of the new site may be incorrect.

 

Impact:

Users on the new site may not have permissions on the content as they did in the original site. Incorrect permissions may be inherited on existing content such that users have more access than they did in the original site. Additionally, when users create new content on the site, incorrect permissions may be applied similarly: the permissions may give users more access than intended.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N - 4.2 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.2.0 through 2019.2.2

  • Tableau Server on Windows 2019.2.0 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 2019.2.3

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

Tableau Server fails to properly validate the path that is presented on an embedded view authentication page.

 

Impact:

A Tableau Server user that clicks on a malicious link and completes a login will be redirected to an attacker controlled location.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

 

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

  • Tableau Server on Windows 10.3 through 10.3.24
  • Tableau Server on Windows 10.4 through 10.4.20
  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.3.25
  • Tableau Server on Windows 10.4.21
  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.