[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server
Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.
The vulnerability is exploitable when the following conditions are true:
Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.
Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)
Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 9.1.20
Tableau Server 9.2.19
Tableau Server 9.3.17
Tableau Server 10.0.12
Tableau Server 10.1.10
Tableau Server 10.2.4
Tableau Server 10.3.2