Severity:  Medium

 

Summary: Under certain conditions, information prepared for one user might be displayed to another user. For this problem to occur, both users must be looking at the same view, the view must be connected to a data source that returns different attribute values for each user, and the view must not have any user filters or user-specific calculations.

 

Vulnerable Versions: Tableau Server 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.10), 9.3.0 (through 9.3.5), 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.13

Tableau Server 9.2.11

Tableau Server 9.3.6

Tableau Server 10.0.1

 

Workaround: Customers whose deployment meets the conditions of the vulnerability should upgrade to a non-vulnerable version as soon as possible.

 

 

As a temporary measure, you can use either of the following mitigations:

  • Use the following command to disable the model cache on Tableau Server:

tabadmin set vizqlserver.modelcachesize 0

 

This change might impact the performance of Tableau Server, so we recommend reverting this setting after installing the Tableau upgrade.

 

Acknowledgement:  This vulnerability was reported to Tableau by a customer