[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site

 

Severity: Medium

 

Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.

 

Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.

 

Data from the extract or target data source are not disclosed.

 

Vulnerable Versions: 10.3.0 (through 10.3.1)

 

Mitigation: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2