Severity: Medium


Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.


Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.


Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2


Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1