Summary: The Tableau Server fails to scope the permission check for some resource requests when the requests are from a site administrator.
Impact: A site administrator from one site may view limited metadata (e.g., workbook names) of resources stored on another site on the same Tableau Server.
Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)
Conditions: The user must be a Site Administrator on the server and the resource must be associated with a scheduled task.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 9.0.22
Tableau Server 9.1.18
Tableau Server 9.2.17
Tableau Server 9.3.14
Tableau Server 10.0.8
Tableau Server 10.1.6
Tableau Server 10.2.1
The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.