Skip navigation
2019

Highest overall severity: Medium


Summary:

When a Web Data Connector (WDC) is added to Tableau Server the --secondary option can be used to specify a safe list of URLs. The safe list defines URLs that the WDC is allowed to make requests to or to receive data from. The resulting safe list is not evaluated when performing an "Incremental Refresh".


Impact:

A malicious WDC that has been added to a Tableau Server instance with a secondary safe list can make requests to any URL when an "Incremental Refresh" operation is performed.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:H UI:N S:C C:L I:L A:N - 5.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23 (Fix coming in future release)
  • Tableau Server on Windows 10.2 through 10.2.19 (Fix coming in future release)
  • Tableau Server on Windows 10.3 through 10.3.19 (Fix coming in future release)
  • Tableau Server on Windows 10.4 through 10.4.14
  • Tableau Server on Windows 10.5 through 10.5.13
  • Tableau Server on Windows 2018.1 through 2018.1.10
  • Tableau Server on Windows 2018.2 through 2018.2.7
  • Tableau Server on Windows 2018.3 through 2018.3.4
  • Tableau Server on Windows 2019.1 through 2019.1.1

  • Tableau Server on Linux 10.5 through 10.5.13
  • Tableau Server on Linux 2018.1 through 2018.1.10
  • Tableau Server on Linux 2018.2 through 2018.2.7
  • Tableau Server on Linux 2018.3 through 2018.3.4
  • Tableau Server on Linux 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Server on Windows 10.4.15
  • Tableau Server on Windows 10.5.14
  • Tableau Server on Windows 2018.1.11
  • Tableau Server on Windows 2018.2.8
  • Tableau Server on Windows 2018.3.5
  • Tableau Server on Windows 2019.1.2

  • Tableau Server on Linux 10.5.14
  • Tableau Server on Linux 2018.1.11
  • Tableau Server on Linux 2018.2.8
  • Tableau Server on Linux 2018.3.5
  • Tableau Server on Linux 2019.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

Two CVEs related to NTLM authentication with libcurl are addressed.
CVE-2018-16890
CVE-2019-3822


Impact:

When using NTLM to authenticate to a web site there is a possibility of an out-of-bounds read and write. This could lead to remote code execution or a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5
Product specific notes:
       Opening a malicious workbook or connecting to a malicious Tableau Server instance can trigger this vulnerability.


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.1

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

A user connecting to a malicious Web Data Connector with Tableau Desktop on Mac can trigger a vulnerability.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.0 High


Vulnerable versions:

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18


Resolved in versions:

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

When Tableau Desktop publishes a workbook it generates thumbnails for the sheets and dashboards in that workbook. If the workbook connects to a published data source that includes user functions, then Tableau will generate thumbnails based on the access and group membership of the user who published the data source.


Impact:

A user who can view the thumbnail images for a workbook will be able to see a static image of the workbook as it existed at publishing time for the original user who published the data source. The thumbnail image may contain data that the viewer does not otherwise have permission to view.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:N A:N CR:H - 7.5 High


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

A user connecting to a malicious Tableau Server instance with Tableau Prep Builder can trigger a vulnerability in the version of Electron used by Tableau Prep Builder. Electron is an open-source development framework.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Tableau Prep Builder (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5 High
Product specific notes:

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.