Severity: Medium

 

Summary: An API call lacks an authorization check in a function. This vulnerability may result in disclosing a friendly user name for a user on another site on the Tableau Server.  The vulnerable API may be called by any authenticated user on a site. 

 

Impact: Disclosure of a friendly username of a user on another site. 

 

Vulnerable Versions: The following versions of Tableau Server are Vulnerable

Tableau Server: 9.1 through 9.1.21
Tableau Server: 9.2 through 9.1.20
Tableau Server: 9.3 through 9.3.18
Tableau Server: 10.0 through 10.0.14
Tableau Server: 10.1 through 10.1.12
Tableau Server: 10.2 through 10.2.7
Tableau Server: 10.3 through 10.3.5
Tableau Server: 10.4 through 10.4.1
Tableau Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Server: 9.1.22
Tableau Server: 9.2.21
Tableau Server: 9.3.19
Tableau Server: 10.0.15
Tableau Server: 10.1.13
Tableau Server: 10.2.8
Tableau Server: 10.3.7
Tableau Server: 10.4.3
Tableau Server: 10.5.1