Skip navigation

Highest overall severity: High


Summary:

Two CVEs related to NTLM authentication with libcurl are addressed.
CVE-2018-16890
CVE-2019-3822


Impact:

When using NTLM to authenticate to a web site there is a possibility of an out-of-bounds read and write. This could lead to remote code execution or a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5
Product specific notes:
       Opening a malicious workbook or connecting to a malicious Tableau Server instance can trigger this vulnerability.


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.1

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

A user connecting to a malicious Web Data Connector with Tableau Desktop on Mac can trigger a vulnerability.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.0 High


Vulnerable versions:

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18


Resolved in versions:

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

When Tableau Desktop publishes a workbook it generates thumbnails for the sheets and dashboards in that workbook. If the workbook connects to a published data source that includes user functions, then Tableau will generate thumbnails based on the access and group membership of the user who published the data source.


Impact:

A user who can view the thumbnail images for a workbook will be able to see a static image of the workbook as it existed at publishing time for the original user who published the data source. The thumbnail image may contain data that the viewer does not otherwise have permission to view.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:N A:N CR:H - 7.5 High


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.