Skip navigation
2018

Severity: Medium

 

Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.

 

Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1

Severity: Medium

 

Summary: Changing the log level to "debug" exposes datasource credentials in plaintext in the application logs. The log files are stored in an access-controlled location. On Tableau Desktop, access to Tableau application logs is limited to the current user. On Tableau Server, application logs are stored with permission that is restricted to the local administrator.

 

By default, the log level is set to "info".

 

Impact: An attacker with access to the application logs can learn the datasource credentials.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Desktop: 2018.1 through 2018.1.2

Tableau Server on Windows: 2018.1 through 2018.1.2

Tableau Server on Linux: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop: 2018.1.3

Tableau Server on Windows: 2018.1.3

Tableau Server on Linux: 2018.1.3