Severity: High


Summary: A vulnerability in the OpenSAML library (CVE-2013-6440) allows a remote unauthenticated attacker to conduct XML external entity (XXE) attacks against Tableau Server via a specially crafted XML DOCTYPE declaration.


Impact: Allows unauthorized disclosure of information


Vulnerable Versions: Tableau Server 8.2 (through 8.2.20), 8.3 (through 8.3.15), 9.0 (through 9.0.17), 9.1 (through 9.1.13), 9.2 (through 9.2.12), 9.3 (through 9.3.7), 10.0 (through 10.0.1)


Conditions: To be vulnerable, Tableau server must be configured for server-wide SAML authentication. Site-specific SAML authentication is not affected by this vulnerability. 


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.1
Tableau Server 10.0.2
Tableau Server 9.3.8
Tableau Server 9.2.13
Tableau Server 9.1.14
Tableau Server 9.0.18
Tableau Server 8.3.16
Tableau Server 8.2.21


Acknowledgement: This vulnerability was reported by Matias Brutti.