Severity: Medium

 

Summary: Changing the log level to "debug" exposes datasource credentials in plaintext in the application logs. The log files are stored in an access-controlled location. On Tableau Desktop, access to Tableau application logs is limited to the current user. On Tableau Server, application logs are stored with permission that is restricted to the local administrator.

 

By default, the log level is set to "info".

 

Impact: An attacker with access to the application logs can learn the datasource credentials.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Desktop: 2018.1 through 2018.1.2

Tableau Server on Windows: 2018.1 through 2018.1.2

Tableau Server on Linux: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop: 2018.1.3

Tableau Server on Windows: 2018.1.3

Tableau Server on Linux: 2018.1.3