Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.). The resulting files can be written outside of the intended temporary location.
Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.
Vulnerable Versions: The following versions have this vulnerability:
Tableau Prep: 2018.1 through 2018.1.2
Resolution: The issue can be fixed by upgrading to the following version:
Tableau Prep: 2018.2.1