Skip navigation
2017

Severity: Medium

 

Summary: On Tableau Server, the administrative view, ‘‘Who has seen this view?,’’ is a link that is displayed to users who publish views. The underlying URL can be manipulated to disclose metadata for all workbooks on the current site, regardless of the current user’s permissions.

 

Impact: Any Tableau Server user who has View role can construct a URL to view the usernames, sheet names, and view counts for workbooks on the current site.

 

Vulnerable Versions:Tableau Server 8.3 (through 8.3.18), 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.3.19

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

Summary: Tableau Software security engineering has confirmed that no version of Tableau Server, current or previous, is impacted by CVE-2017-5638

 

NVD Annoucement: CVE-2017-5638

Summary: Tableau Software security engineering has confirmed that no version of Tableau Server, current or previous, is impacted by CVE-2016-3081.

 

NVD Announcement for CVE-2016-3081

Severity: Medium

 

Summary: Trusted authentication (trusted tickets) on Tableau Server allows authenticated REST API calls to access restricted content.

In the default configuration, users authenticated with trusted tickets have restricted access such that only views are available. Access to workbooks, project pages, or other content hosted on the server is restricted.

 

Impact: A REST API session established with a restricted trusted ticket is able to perform more actions on Tableau Server than documented. However, all actions are scoped to the access that the account is authorized for.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)

 

Conditions: The REST API must be enabled. The server must be configured for trusted authentication.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

 

The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.

Severity: Medium

 

Summary: The Tableau Server fails to scope the permission check for some resource requests when the requests are from a site administrator.

 

Impact: A site administrator from one site may view limited metadata (e.g., workbook names) of resources stored on another site on the same Tableau Server.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)

 

Conditions: The user must be a Site Administrator on the server and the resource must be associated with a scheduled task.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

Tableau Server 10.2.1

 

The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.

Severity: Medium

 

Summary: Tableau Sever contains an open redirect vulnerability that could allow a user to be redirected to an untrusted site.

 

Impact: The vulnerability can allow an attacker to redirect the user to a malicious web site.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

Tableau Server 10.2.1

 

The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released