Severity: High

 

Summary: A heap overflow vulnerability in Tableau Server and Tableau Desktop may result in code execution. To exploit this vulnerability on Tableau Server, the attacker must be an authenticated user with the ability to publish views or workbooks. On Tableau Desktop, this vulnerability is exploited when a user opens a malicious file.

 

Impact: An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Vulnerable Versions: The following versions of Tableau Desktop and Tableau Server are vulnerable

Tableau Desktop and Server: 9.1 through 9.1.21
Tableau Desktop and Server: 9.2 through 9.1.20
Tableau Desktop and Server: 9.3 through 9.3.18
Tableau Desktop and Server: 10.0 through 10.0.14
Tableau Desktop and Server: 10.1 through 10.1.12
Tableau Desktop and Server: 10.2 through 10.2.7
Tableau Desktop and Server: 10.3 through 10.3.5
Tableau Desktop and Server: 10.4 through 10.4.1
Tableau Desktop and Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Desktop and Server: 9.1.22
Tableau Desktop and Server: 9.2.21
Tableau Desktop and Server: 9.3.19
Tableau Desktop and Server: 10.0.15
Tableau Desktop and Server: 10.1.13
Tableau Desktop and Server: 10.2.8
Tableau Desktop and Server: 10.3.7
Tableau Desktop and Server: 10.4.3
Tableau Desktop and Server: 10.5.1

 

Acknowledgement:  This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.