Skip navigation

[Informational] INF-2017-005: Extract Refreshes can unhide columns


Summary: If you have any extracts on Tableau Server with hidden columns, when you refresh, the columns become unhidden.


This can lead to slower extract refreshes, larger extracts, slower viz performance, and making previously hidden columns visible to users.


See issue 670693 on


Versions Affected : Tableau Server 10.2.3, Tableau Desktop 10.2.3

[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server


Severity: Critical


Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.


The vulnerability is exploitable when the following conditions are true:

  • Tableau Server is configured for Mutual SSL authentication (authentication with client certificates)
  • The insecure HTTP port (default is port 80) is accessible to an attacker


Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.


Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)


Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.20

Tableau Server 9.2.19

Tableau Server 9.3.17

Tableau Server 10.0.12

Tableau Server 10.1.10

Tableau Server 10.2.4

Tableau Server 10.3.2

[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site


Severity: Medium


Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.


Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.


Data from the extract or target data source are not disclosed.


Vulnerable Versions: 10.3.0 (through 10.3.1)


Mitigation: None


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2