Severity: Medium


Summary: The cookie used to identify the Tableau Services Manager (TSM) Web UI session does not expire if a browser window to the web interface remains open.


Impact: This vulnerability increases the risk that an unattended computer where the TSM web UI is left open will host a valid session. The open valid session allows users to perform administrative actions on the Tableau Server installation.


Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0



Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1