Highest overall severity: Medium


Summary:

Tableau Server writes the complete SAML AuthnResponse to the log file when loglevel is set to debug. This happens for both site SAML and server-wide SAML scenarios.


Impact:

An attacker who can access the log file can attempt to replay the AuthnResponse. In some cases, replaying the AuthnResponse may allow an attacker to authenticate as a different user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7
  • Tableau Server on Windows 2019.1 through 2019.1.4
  • Tableau Server on Windows 2019.2 through 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7
  • Tableau Server on Linux 2019.1 through 2019.1.4
  • Tableau Server on Linux 2019.2 through 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8
  • Tableau Server on Windows 2019.1.5
  • Tableau Server on Windows 2019.2.1

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8
  • Tableau Server on Linux 2019.1.5
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.