Summary: Unauthenticated users can craft requests that will execute arbitrary SQL statements in the repository (Postgres) database on Tableau Server.
Impact: This vulnerability poses a potential for remote attackers to gain administrative access to Tableau Server.
Vulnerable Versions: Tableau Server 9.2 (through 9.2.17), 9.3 (through 9.3.14), 10.0 (through 10.0.9), 10.1 (through 10.1.7), 10.2 (through 10.2.1).
Mitigation: To mitigate this vulnerability, run the following tabadmin commands:
tabadmin set vizqlserver.httprequests.logging.threads 0
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server: 9.2.18
Tableau Server: 9.3.15
Tableau Server: 10.0.10
Tableau Server: 10.1.8
Tableau Server: 10.2.2