Summary: A Tableau Server configured with “External SSL” enabled that receives a specially crafted HTTP request on the non-SSL port will respond with a redirect to the HTTPS port. The redirect will specify the local IP address of the host ratherthan the hostname.
Impact: An internal IP address of the Tableau Server host will be exposed. For Tableau Server instances running on the internet, this vulnerability can expose details of the internal network topology to outside users.
Vulnerable Versions: The following versions have this vulnerability:
Tableau Server 10.0 through 10.0.20
Tableau Server 10.1 through 10.1.19
Tableau Server 10.2 through 10.2.15
Tableau Server 10.3 through 10.3.14
Tableau Server 10.4 through 10.4.10
Tableau Server 10.5 through 10.5.7
Tableau Server 2018.1 through 2018.1.4
Tableau Server 2018.2 through 2018.2.1
Tableau Server 2018.3
Tableau Server on Linux 10.5 through 10.5.7
Tableau Server on Linux 2018.1 through 2018.1.4
Tableau Server on Linux 2018.2 through 2018.2.1
Resolution: The issue can be fixed by upgrading to the following version: