Severity: Critical

 

Summary: Unauthenticated users can craft requests that will execute arbitrary SQL statements in the repository (Postgres) database on Tableau Server.

 

Impact: This vulnerability poses a potential for remote attackers to gain administrative access to Tableau Server.

 

Vulnerable Versions: Tableau Server 9.2 (through 9.2.17), 9.3 (through 9.3.14), 10.0 (through 10.0.9), 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Mitigation: To mitigate this vulnerability, run the following tabadmin commands:

tabadmin stop

tabadmin set vizqlserver.httprequests.logging.threads 0

tabadmin configure

tabadmin start

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.2.18

Tableau Server: 9.3.15

Tableau Server: 10.0.10

Tableau Server: 10.1.8

Tableau Server: 10.2.2