Severity: Medium

 

Summary: Dashboard web objects in Tableau Desktop can execute untrusted javascript and may therefore be vulnerable to information disclosure through Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715).

 

Web data connectors on Tableau Server and Tableau Desktop execute javascript code and therefore, may also be vulnerable to SpectreAs a mitigation for Tableau Server, you can configure a safe list so web data connectors can only run from trusted URLs. See Web Data Connectors.

 

Impact: This vulnerability may allow an attacker to read some memory in the same process the executes the untrusted javascript code. 

 

Vulnerable Versions: The following versions of Tableau Desktop and Tableau Server are Vulnerable

Tableau Desktop and Server: 9.1 through 9.1.21
Tableau Desktop and Server: 9.2 through 9.2.20
Tableau Desktop and Server: 9.3 through 9.3.18
Tableau Desktop and Server: 10.0 through 10.0.14
Tableau Desktop and Server: 10.1 through 10.1.12
Tableau Desktop and Server: 10.2 through 10.2.7
Tableau Desktop and Server: 10.3 through 10.3.5
Tableau Desktop and Server: 10.4 through 10.4.1
Tableau Desktop and Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Desktop and Server: 9.1.22
Tableau Desktop and Server: 9.2.21
Tableau Desktop and Server: 9.3.19
Tableau Desktop and Server: 10.0.15
Tableau Desktop and Server: 10.1.13
Tableau Desktop and Server: 10.2.8
Tableau Desktop and Server: 10.3.7
Tableau Desktop and Server: 10.4.3
Tableau Desktop and Server: 10.5.1