Severity: Medium


Summary: The tabcmd utility logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to Tableau Server the value is written to the log in plaintext.


Impact: Malicious users with access to the tabcmd logs can access passwords that are used for authenticating to Tableau Server.


Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.24

Tableau Server: 9.3 through 9.3.22

Tableau Server: 10.0 through 10.0.18

Tableau Server: 10.1 through 10.1.17

Tableau Server: 10.2 through 10.2.13

Tableau Server: 10.3 through 10.3.11

Tableau Server: 10.4 through 10.4.7

Tableau Server on Windows: 10.5 through 10.5.4

Tableau Server on Linux: 10.5 through 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1


Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.25

Tableau Server: 9.3.23

Tableau Server: 10.0.19

Tableau Server: 10.1.18

Tableau Server: 10.2.14

Tableau Server: 10.3.12

Tableau Server: 10.4.8

Tableau Server on Windows: 10.5.5

Tableau Server on Linux: 10.5.5

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2