Summary: An unauthenticated remote attacker can send a specially crafted message that results in the disclosure of information from Tableau Server. Customers should upgrade to a non-vulnerable version of Tableau Server as soon as possible. The latest versions of Tableau Server are available from the Customer Portal or Alternate Download Site. For information about how to upgrade, see Upgrading Tableau Server in the Tableau Knowledge base. See the Workarounds section later for additional workarounds.
Vulnerable Versions: 9.1.0 (through 9.1.10), 9.2.0 (through 9.2.8), 9.3.0 (through 9.3.2)
Workarounds: The temporary resolution of disabling the REST API only works in Tableau Server 9.3 versions. The tabadmin commands to disable the rest API in 9.1 and 9.2 versions does not actually disable the rest API. The recommendation for 9.1 and 9.2 is to upgrade to a non-vulnerable version.
As a temporary workaround, for versions 9.3.2 and earlier, customers can disable the REST API using the following sequence of tabadmin commands:
1. tabadmin stop
2. tabadmin set api.server.enabled false
3. tabadmin config
4. tabadmin restart
After upgrading to the latest version Tableau Server, re-enable the REST API.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 9.1.11
Tableau Server 9.2.9
Tableau Server 9.3.3