Skip navigation

Highest overall severity: Medium


Summary:

Workbooks that use user functions inside a context filter may not properly filter data the first time a view is loaded due to a caching issue.


Impact:

A user with access to a published workbook can see unfiltered data for another user resulting in information disclosure within that same workbook. A malicious user cannot directly force this to happen.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected. - Tableau Bridge 10.0


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

A workbook published to Tableau Server with a datasource that has been set to "Publish Separately" and an authentication choice of "Prompt" will publish in an unexpected way. The separate datasource will be published with authentication set to "Prompt". However, the workbook will be published with a connection to the new datasource and the authentication is set to "Embedded Password".


Impact:

A Tableau Server user that has access to the workbook will be able to open the workbook and use the embedded credentials to connect to the datasource.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:N A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Desktop on Windows 10.2 through 10.2.20
  • Tableau Desktop on Windows 10.3 through 10.3.20
  • Tableau Desktop on Windows 10.4 through 10.4.16
  • Tableau Desktop on Windows 10.5 through 10.5.15
  • Tableau Desktop on Windows 2018.1 through 2018.1.12
  • Tableau Desktop on Windows 2018.2 through 2018.2.9
  • Tableau Desktop on Windows 2018.3 through 2018.3.6
  • Tableau Desktop on Windows 2019.1 through 2019.1.3

  • Tableau Desktop on Mac 10.2 through 10.2.20
  • Tableau Desktop on Mac 10.3 through 10.3.20
  • Tableau Desktop on Mac 10.4 through 10.4.16
  • Tableau Desktop on Mac 10.5 through 10.5.15
  • Tableau Desktop on Mac 2018.1 through 2018.1.12
  • Tableau Desktop on Mac 2018.2 through 2018.2.9
  • Tableau Desktop on Mac 2018.3 through 2018.3.6
  • Tableau Desktop on Mac 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Desktop on Windows 10.2.21
  • Tableau Desktop on Windows 10.3.21
  • Tableau Desktop on Windows 10.4.17
  • Tableau Desktop on Windows 10.5.16
  • Tableau Desktop on Windows 2018.1.13
  • Tableau Desktop on Windows 2018.2.10
  • Tableau Desktop on Windows 2018.3.7
  • Tableau Desktop on Windows 2019.1.4

  • Tableau Desktop on Mac 10.2.21
  • Tableau Desktop on Mac 10.3.21
  • Tableau Desktop on Mac 10.4.17
  • Tableau Desktop on Mac 10.5.16
  • Tableau Desktop on Mac 2018.1.13
  • Tableau Desktop on Mac 2018.2.10
  • Tableau Desktop on Mac 2018.3.7
  • Tableau Desktop on Mac 2019.1.4


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server generates an error page that contains a user-supplied string.


Impact:

A user that clicks on a link will be presented an error message that contains a string entered by another user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium

CVSS3 Score: AV:N AC:L PR:N UI:R S:C C:N I:L A:N - 4.7 Medium


Vulnerable versions:

  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Reader (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.