[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site


Severity: Medium


Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.


Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.


Data from the extract or target data source are not disclosed.


Vulnerable Versions: 10.3.0 (through 10.3.1)


Mitigation: None


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2