Severity: Medium


Summary: On Tableau Server, the administrative view, ‘‘Who has seen this view?,’’ is a link that is displayed to users who publish views. The underlying URL can be manipulated to disclose metadata for all workbooks on the current site, regardless of the current user’s permissions.


Impact: Any Tableau Server user who has View role can construct a URL to view the usernames, sheet names, and view counts for workbooks on the current site.


Vulnerable Versions:Tableau Server 8.3 (through 8.3.18), 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5)


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.3.19

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6