Summary: Some versions of Tableau Server contain a vulnerability that allows a malicious user with publishing privileges to publish a workbook that runs malicious code. The vulnerability allows the code to run with the security privileges of the Tableau Server service account ("Run As User" account on Windows and the "tableau" system user on Linux). Deployments that allow untrusted publishers or use sites to enforce security policies are at highest risk from this vulnerability.
Tableau Desktop is also vulnerable, which can be exploited when a user opens a maliciously crafted workbook.
Tableau Online and the Tableau Public community platform are not affected by this vulnerability.
Impact: Remote code execution that could impact the confidentiality, integrity, and availability of Tableau Server. This vulnerability could allow a malicious user hosted on one site of a Tableau Server instance to compromise another site that is hosted on the same computer.
On Tableau Desktop, the vulnerability could result in the execution of malicious code that could impact confidentiality, integrity, and availability of the computer running Tableau Desktop. In the Desktop scenario, the code runs in the security context of the user who opens the compromised workbook.
Vulnerable Versions: The following versions of Tableau Server and Tableau Desktop (including Tableau Desktop Public Edition and Tableau Reader) are vulnerable:
Tableau Server on Linux through 10.5.3
Tableau Server on Linux through 2018.1.0
Tableau Server on Windows through 9.2.23
Tableau Server on Windows through 9.3.21
Tableau Server on Windows through 10.0.17
Tableau Server on Windows through 10.1.16
Tableau Server on Windows through 10.2.12
Tableau Server on Windows through 10.3.10
Tableau Desktop through 9.2.23
Tableau Desktop through 9.3.21
Tableau Desktop through 10.0.17
Tableau Desktop through 10.1.16
Tableau Desktop through 10.2.12
Tableau Desktop through 10.3.10
The following versions are not vulnerable:
- Tableau Desktop 10.4, 10.5 and 2018.1 on Windows or Mac.
- Tableau Server on Windows 10.4.x
- Tableau Server on Windows 10.5.x
- Tableau Server on Windows 2018.1
Resolution: The issue can be fixed by upgrading to the following version:
Tableau Server on Windows - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11
Tableau Server on Linux - 2018.1.1, 10.5.4
Tableau Desktop - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11