Severity: Critical


Summary: Unauthenticated users can craft requests that will execute arbitrary SQL statements in the repository (Postgres) database on Tableau Server.


Impact: This vulnerability poses a potential for remote attackers to gain administrative access to Tableau Server.


Vulnerable Versions: Tableau Server 9.2 (through 9.2.17), 9.3 (through 9.3.14), 10.0 (through 10.0.9), 10.1 (through 10.1.7), 10.2 (through 10.2.1).


Mitigation: To mitigate this vulnerability, run the following tabadmin commands:

tabadmin stop

tabadmin set vizqlserver.httprequests.logging.threads 0

tabadmin configure

tabadmin start


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.2.18

Tableau Server: 9.3.15

Tableau Server: 10.0.10

Tableau Server: 10.1.8

Tableau Server: 10.2.2