Skip navigation
2019

Highest overall severity: Medium


Summary:

Tableau Server is upgrading to OpenSSL version 1.0.2r to address CVE-2019-1559.

While other Tableau products include OpenSSL, and are being upgraded as well, this attack can not be performed on those products. Only Tableau Server is vulnerable.


Impact:

An attacker that successfully exploits this vulnerability will be able to learn the contents of communication between Tableau Server and clients. This can include sensitive values such as cookies.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:H PR:N UI:N S:U C:H I:N A:N - 5.9 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.15
  • Tableau Server on Windows 10.5 through 10.5.14
  • Tableau Server on Windows 2018.1 through 2018.1.11
  • Tableau Server on Windows 2018.2 through 2018.2.8
  • Tableau Server on Windows 2018.3 through 2018.3.5
  • Tableau Server on Windows 2019.1 through 2019.1.2

  • Tableau Server on Linux 10.5 through 10.5.14
  • Tableau Server on Linux 2018.1 through 2018.1.11
  • Tableau Server on Linux 2018.2 through 2018.2.8
  • Tableau Server on Linux 2018.3 through 2018.3.5
  • Tableau Server on Linux 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.16
  • Tableau Server on Windows 10.5.15
  • Tableau Server on Windows 2018.1.12
  • Tableau Server on Windows 2018.2.9
  • Tableau Server on Windows 2018.3.6
  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 10.5.15
  • Tableau Server on Linux 2018.1.12
  • Tableau Server on Linux 2018.2.9
  • Tableau Server on Linux 2018.3.6
  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

Tableau Server fails to properly sanitize certain strings when rendering a published workbook, which results in a cross-site scripting vulnerability. An authenticated user with publishing permissions may publish a workbook to Tableau Server which can trigger this vulnerability.


Impact:

When users open the modified workbook with a specially crafted URL, arbitrary JavaScript can run in the browser session.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:H A:H - 8.0 High


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.15
  • Tableau Server on Windows 10.5 through 10.5.14
  • Tableau Server on Windows 2018.1 through 2018.1.11
  • Tableau Server on Windows 2018.2 through 2018.2.8
  • Tableau Server on Windows 2018.3 through 2018.3.5

  • Tableau Server on Linux 10.5 through 10.5.14
  • Tableau Server on Linux 2018.1 through 2018.1.11
  • Tableau Server on Linux 2018.2 through 2018.2.8
  • Tableau Server on Linux 2018.3 through 2018.3.5


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.16
  • Tableau Server on Windows 10.5.15
  • Tableau Server on Windows 2018.1.12
  • Tableau Server on Windows 2018.2.9
  • Tableau Server on Windows 2018.3.6

  • Tableau Server on Linux 10.5.15
  • Tableau Server on Linux 2018.1.12
  • Tableau Server on Linux 2018.2.9
  • Tableau Server on Linux 2018.3.6


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Sever logs the password used to authenticate to the SMTP server. The password is stored encrypted in the parameter, svcmonitor.notification.smtp.password. However, the password is logged in plaintext when an email is sent by Tableau Server.


Impact:

An attacker with access to the Tableau Server logs can learn the account and password used to authenticate to the SMTP server.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 2018.3.0 through 2018.3.5
  • Tableau Server on Windows 2019.1.0 through 2019.1.2

  • Tableau Server on Linux 2018.3.0 through 2018.3.5
  • Tableau Server on Linux 2019.1.0 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 2018.3.6
  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 2018.3.6
  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

OAuth accesstoken and refreshtoken are logged when connecting to certain data sources that use OAuth authentication.


Impact:

An attacker with access to Tableau Server logs can learn the accesstoken and refreshtoken and gain access to the target data source.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Server on Windows 2019.1 through 2019.1.2

  • Tableau Server on Linux 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Desktop on Windows 2019.1 through 2019.1.2

  • Tableau Desktop on Mac 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Desktop on Windows 2019.1.3

  • Tableau Desktop on Mac 2019.1.3


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

The Tableau Prep Builder CLI tool logs complete requests made to Tableau Server. The sign in request contains the username and password used to authenticate to Tableau Server when publishing a data source.


Impact:

Users with access to the Tableau Prep Builder CLI log files can learn the username and password used to authenticate to Tableau Server.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:L UI:N S:U C:H I:N A:N - 5.5 Medium
Product specific notes:


Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.3


Resolved in versions:

  • Tableau Prep Builder 2019.1.4


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.