Severity: Medium

 

Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.

 

Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1