Highest overall severity: Medium


Summary:

OAuth accesstoken and refreshtoken are logged when connecting to certain data sources that use OAuth authentication.


Impact:

An attacker with access to Tableau Server logs can learn the accesstoken and refreshtoken and gain access to the target data source.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Server on Windows 2019.1 through 2019.1.2

  • Tableau Server on Linux 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Desktop on Windows 2019.1 through 2019.1.2

  • Tableau Desktop on Mac 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Desktop on Windows 2019.1.3

  • Tableau Desktop on Mac 2019.1.3


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.