Highest overall severity: High

 

Summary:

A heap based buffer overflow vulnerability exists in Tableau products.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
       An authenticated user that is able to publish a workbook to Tableau Server can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.21
  • Tableau Server on Windows 10.1 through 10.1.21
  • Tableau Server on Windows 10.2 through 10.2.17
  • Tableau Server on Windows 10.3 through 10.3.17
  • Tableau Server on Windows 10.4 through 10.4.13
  • Tableau Server on Windows 10.5 through 10.5.12
  • Tableau Server on Windows 2018.1 through 2018.1.9
  • Tableau Server on Windows 2018.2 through 2018.2.6
  • Tableau Server on Windows 2018.3 through 2018.3.3
  • Tableau Server on Windows 2019.1 through 2019.1.1

  • Tableau Server on Linux 10.5 through 10.5.12
  • Tableau Server on Linux 2018.1 through 2018.1.9
  • Tableau Server on Linux 2018.2 through 2018.2.6
  • Tableau Server on Linux 2018.3 through 2018.3.3
  • Tableau Server on Linux 2019.1 through 2019.1.1

 

Resolved in versions:

  • Tableau Server on Windows 10.0.22
  • Tableau Server on Windows 10.1.22
  • Tableau Server on Windows 10.2.18
  • Tableau Server on Windows 10.3.18
  • Tableau Server on Windows 10.4.14
  • Tableau Server on Windows 10.5.13
  • Tableau Server on Windows 2018.1.10
  • Tableau Server on Windows 2018.2.7
  • Tableau Server on Windows 2018.3.4
  • Tableau Server on Windows 2019.1.2

  • Tableau Server on Linux 10.5.13
  • Tableau Server on Linux 2018.1.10
  • Tableau Server on Linux 2018.2.7
  • Tableau Server on Linux 2018.3.4
  • Tableau Server on Linux 2019.1.2

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
       Opening a malicious workbook can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

  • Tableau Desktop on Mac 10.0 through 10.0.21
  • Tableau Desktop on Mac 10.1 through 10.1.21
  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.0.22
  • Tableau Desktop on Mac 10.1.22
  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4
  • Tableau Desktop on Mac 2019.1.2

 

Tableau Bridge (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.5 High

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
       Opening malicious flows may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep 2018.1.1 through 2019.1.2

 

Resolved versions:

  • Tableau Prep 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High

Product specific notes:
       Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Reader 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved versions:

  • Tableau Reader 2019.1.2

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
       Opening malicious workbooks may trigger this vulnerability

 

Vulnerable versions:

  • Tableau Public Desktop on Windows 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

  • Tableau Public Desktop on Mac 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved versions:

  • Tableau Public Desktop on Windows 2019.1.2

  • Tableau Public Desktop on Mac 2019.1.2

 

Acknowledgement:
This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.