Highest overall severity: Medium


Summary:

When a Web Data Connector (WDC) is added to Tableau Server the --secondary option can be used to specify a safe list of URLs. The safe list defines URLs that the WDC is allowed to make requests to or to receive data from. The resulting safe list is not evaluated when performing an "Incremental Refresh".


Impact:

A malicious WDC that has been added to a Tableau Server instance with a secondary safe list can make requests to any URL when an "Incremental Refresh" operation is performed.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:H UI:N S:C C:L I:L A:N - 5.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.14
  • Tableau Server on Windows 10.5 through 10.5.13
  • Tableau Server on Windows 2018.1 through 2018.1.10
  • Tableau Server on Windows 2018.2 through 2018.2.7
  • Tableau Server on Windows 2018.3 through 2018.3.4
  • Tableau Server on Windows 2019.1 through 2019.1.1

  • Tableau Server on Linux 10.5 through 10.5.13
  • Tableau Server on Linux 2018.1 through 2018.1.10
  • Tableau Server on Linux 2018.2 through 2018.2.7
  • Tableau Server on Linux 2018.3 through 2018.3.4
  • Tableau Server on Linux 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.15
  • Tableau Server on Windows 10.5.14
  • Tableau Server on Windows 2018.1.11
  • Tableau Server on Windows 2018.2.8
  • Tableau Server on Windows 2018.3.5
  • Tableau Server on Windows 2019.1.2

  • Tableau Server on Linux 10.5.14
  • Tableau Server on Linux 2018.1.11
  • Tableau Server on Linux 2018.2.8
  • Tableau Server on Linux 2018.3.5
  • Tableau Server on Linux 2019.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.