Skip navigation
2019

Highest overall severity: Medium


Summary:

Tableau Server fails to validate and remove certain parameters when exporting a visualization to PDF.


Impact:

Users can modify export requests such that PDF files are saved to arbitrary locations on Tableau Server. Tableau Sever does not monitor the exported for cleanup. Therefore, disk space could fill without administrator knowledge.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium

CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:N I:N A:H - 6.5


Vulnerable versions:

  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A

Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the final destination URL during login.


Impact:

A Tableau Server user that clicks on a malicious link and completes a login will be redirected to an attacker controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.22
  • Tableau Server on Windows 10.3 through 10.3.22
  • Tableau Server on Windows 10.4 through 10.4.18
  • Tableau Server on Windows 10.5 through 10.5.17
  • Tableau Server on Windows 2018.1 through 2018.1.14
  • Tableau Server on Windows 2018.2 through 2018.2.11
  • Tableau Server on Windows 2018.3 through 2018.3.8
  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 10.5 through 10.5.17
  • Tableau Server on Linux 2018.1 through 2018.1.14
  • Tableau Server on Linux 2018.2 through 2018.2.11
  • Tableau Server on Linux 2018.3 through 2018.3.8
  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 10.2.23
  • Tableau Server on Windows 10.3.23
  • Tableau Server on Windows 10.4.19
  • Tableau Server on Windows 10.5.18
  • Tableau Server on Windows 2018.1.15
  • Tableau Server on Windows 2018.2.12
  • Tableau Server on Windows 2018.3.9
  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 10.5.18
  • Tableau Server on Linux 2018.1.15
  • Tableau Server on Linux 2018.2.12
  • Tableau Server on Linux 2018.3.9
  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that have been opened with saved credentialsmight be available to other users on the same site that have access to the workbook.


Impact:

A user on the same site might see data in a workbook without being required to authenticate to the datasource. This vulnerability cannot be triggered by a malicious user.


Mitigation:

The use of Saved Credentials can be disabled at the Server settings. https://onlinehelp.tableau.com/current/server/en-us/maintenance_set.htm


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.22
  • Tableau Server on Windows 10.3 through 10.3.22
  • Tableau Server on Windows 10.4 through 10.4.18
  • Tableau Server on Windows 10.5 through 10.5.17
  • Tableau Server on Windows 2018.1 through 2018.1.14
  • Tableau Server on Windows 2018.2 through 2018.2.11
  • Tableau Server on Windows 2018.3 through 2018.3.8
  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 10.5 through 10.5.17
  • Tableau Server on Linux 2018.1 through 2018.1.14
  • Tableau Server on Linux 2018.2 through 2018.2.11
  • Tableau Server on Linux 2018.3 through 2018.3.8
  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 10.2.23
  • Tableau Server on Windows 10.3.23
  • Tableau Server on Windows 10.4.19
  • Tableau Server on Windows 10.5.18
  • Tableau Server on Windows 2018.1.15
  • Tableau Server on Windows 2018.2.12
  • Tableau Server on Windows 2018.3.9
  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 10.5.18
  • Tableau Server on Linux 2018.1.15
  • Tableau Server on Linux 2018.2.12
  • Tableau Server on Linux 2018.3.9
  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.