Severity: High


Summary: An authenticated remote attacker can send a specially crafted message that can result in the disclosure of information from Tableau Server. The scope of the disclosure of information is bound by access privileges of the Tableau Server service account. For more information about Tableau Server service account, see the online documentation (Windows | Linux).


Impact: Exploits of the authenticated API call can result in the disclosure of information for any local file that the Tableau Server service account can read.


Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.23 

Tableau Server: 9.3 through 9.3.21 

Tableau Server: 10.0 through 10.0.17 

Tableau Server: 10.1 through 10.1.16

Tableau Server: 10.2 through 10.2.12 

Tableau Server: 10.3 through 10.3.10 

Tableau Server: 10.4 through 10.4.6 

Tableau Server on Windows: 10.5 through 10.5.3

Tableau Server on Linux: 10.5 through 10.5.3

Tableau Server on Windows: 2018.1

Tableau Server on Linux: 2018.1


Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.24 

Tableau Server: 9.3.22 

Tableau Server: 10.0.18 

Tableau Server: 10.1.17

Tableau Server: 10.2.13 

Tableau Server: 10.3.11 

Tableau Server: 10.4.7 

Tableau Server on Windows: 10.5.4

Tableau Server on Linux: 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1