Summary: Changing the log levelto "debug"exposesdatasource credentials in plaintext inthe application logs. The log files are storedin an access-controlled location. On Tableau Desktop, access to Tableau application logsis limited to the current user.OnTableau Server, application logs are stored with permission that is restrictedto the local administrator.
By default, the log level is set to "info".
Impact: An attacker with access to the application logs can learn the datasource credentials.
Vulnerable Versions: The following versions have this vulnerability:
Tableau Desktop: 2018.1through 2018.1.2
Tableau Server on Windows: 2018.1 through 2018.1.2
Tableau Server on Linux: 2018.1through 2018.1.2
Resolution: The issue can be fixed by upgrading to the following version: