Severity: Medium

 

Summary: The authentication mechanism on the internal REST service that is used by Tableau Prep can be bypassed. The REST service runs only while Tableau Prep is being used. Since the REST service only listens on localhost, an attacker would have to have access to execute code on the host to exploit this vulnerability. In the remote case, a user would have to visit a malicious website that exploits the vulnerability.

 

Impact: An attacker that can make calls to the REST service can read data from the datasources that Tableau Prep is connected to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep through 2018.1 through 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep 2018.1.2 or later