[Important] ADV-2017-013: Unauthenticated privilege escalation when Server SAML is configured on Tableau Server
Tableau Server is vulnerable to an unauthenticated privilege escalation under the following conditions:
The following configurations are NOT vulnerable:
For guidance determining if your organization is running a vulnerable configuration, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.
Impact: An unauthenticated attacker can escalate their privilege to access resources with the permissions of other Tableau Server users.
10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server: 10.0.11
Tableau Server: 10.1.9
Tableau Server: 10.2.3
Tableau Server: 10.3.1
Mitigation: If your Tableau Server instance is using one of the vulnerable configurations, and you are unable to upgrade to a fixed version now, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.
Acknowledgement: Greg Harris of the Fitbit Security Team