Summary: Trusted authentication (trusted tickets) on Tableau Server allows authenticated REST API calls to access restricted content.
In the default configuration, users authenticated with trusted tickets have restricted access such that only views are available. Access to workbooks, project pages, or other content hosted on the server is restricted.
Impact: A REST API session established with a restricted trusted ticket is able to perform more actions on Tableau Server than documented. However, all actions are scoped to the access that the account is authorized for.
Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)
Conditions: The REST API must be enabled. The server must be configured for trusted authentication.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 9.0.22
Tableau Server 9.1.18
Tableau Server 9.2.17
Tableau Server 9.3.14
Tableau Server 10.0.8
Tableau Server 10.1.6
The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.