Skip navigation
2019

Highest overall severity: Medium


Summary:

Users accessing Tableau Server with Web Editing may not be prompted to authenticate to a connected data source when accesing a workbook with embedded credentials.


Impact:

A user who has Web Edit permissions on a workbook with embedded credentials will be able to see fields that are not in the views. The user will also be able to perform queries against the datasource without having to authenticate.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server writes the complete SAML AuthnResponse to the log file when loglevel is set to debug. This happens for both site SAML and server-wide SAML scenarios.


Impact:

An attacker who can access the log file can attempt to replay the AuthnResponse. In some cases, replaying the AuthnResponse may allow an attacker to authenticate as a different user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7
  • Tableau Server on Windows 2019.1 through 2019.1.4
  • Tableau Server on Windows 2019.2 through 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7
  • Tableau Server on Linux 2019.1 through 2019.1.4
  • Tableau Server on Linux 2019.2 through 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8
  • Tableau Server on Windows 2019.1.5
  • Tableau Server on Windows 2019.2.1

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8
  • Tableau Server on Linux 2019.1.5
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.