Skip navigation
2019

Highest overall severity: High

 

Summary:

An XXE vulnerability exists in Tableau products.

 

The following CVEs have been addressed:

 

Impact:

This vulnerability can result in information disclosure or denial of service.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High
Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.24
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks, data sources, or extensions may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Mac 10.2 through 10.2.23
  • Tableau Desktop on Mac 10.3 through 10.3.23
  • Tableau Desktop on Mac 10.4 through 10.4.19
  • Tableau Desktop on Mac 10.5 through 10.5.18
  • Tableau Desktop on Mac 2018.1 through 2018.1.15
  • Tableau Desktop on Mac 2018.2 through 2018.2.12
  • Tableau Desktop on Mac 2018.3 through 2018.3.9
  • Tableau Desktop on Mac 2019.1 through 2019.1.6
  • Tableau Desktop on Mac 2019.2 through 2019.2.2

  • Tableau Desktop on Windows 10.2 through 10.2.23
  • Tableau Desktop on Windows 10.3 through 10.3.23
  • Tableau Desktop on Windows 10.4 through 10.4.19
  • Tableau Desktop on Windows 10.5 through 10.5.18
  • Tableau Desktop on Windows 2018.1 through 2018.1.15
  • Tableau Desktop on Windows 2018.2 through 2018.2.12
  • Tableau Desktop on Windows 2018.3 through 2018.3.9
  • Tableau Desktop on Windows 2019.1 through 2019.1.6
  • Tableau Desktop on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Desktop on Mac 10.2.24
  • Tableau Desktop on Mac 10.3.24
  • Tableau Desktop on Mac 10.4.20
  • Tableau Desktop on Mac 10.5.19
  • Tableau Desktop on Mac 2018.1.16
  • Tableau Desktop on Mac 2018.2.13
  • Tableau Desktop on Mac 2018.3.10
  • Tableau Desktop on Mac 2019.1.7
  • Tableau Desktop on Mac 2019.2.3

  • Tableau Desktop on Windows 10.2.24
  • Tableau Desktop on Windows 10.3.24
  • Tableau Desktop on Windows 10.4.20
  • Tableau Desktop on Windows 10.5.19
  • Tableau Desktop on Windows 2018.1.16
  • Tableau Desktop on Windows 2018.2.13
  • Tableau Desktop on Windows 2018.3.10
  • Tableau Desktop on Windows 2019.1.7
  • Tableau Desktop on Windows 2019.2.3


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Reader on Mac 10.2 through 10.2.2

  • Tableau Reader on Windows 10.2 through 10.2.2

 

Resolved in versions:

  • Tableau Reader on Mac 2019.2.3

  • Tableau Reader on Windows 2019.2.3


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Public Desktop on Mac 10.2 through 10.2.2

  • Tableau Public Desktop on Windows 10.2 through 10.2.2

 

Resolved in versions:

  • Tableau Public Desktop on Mac 2019.2.3

  • Tableau Public Desktop on Windows 2019.2.3

 

Acknowledgement: Jarad Kopf of Deltek

Highest overall severity: Medium

 

Summary:

Tableau Server logs password for the private key and keystore at upgrade time when tsm.controlapp.log.level is set to DEBUG.

 

Impact:

An attacker who has access to the log file can decrpyt key and keystore file to get private keys.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

When a user publishes a malicious workbook to Tableau Server, certain path values are not validated. As a result, the malicious workbook may cause files on Tableau Server to be deleted.

 

Impact:

Tableau Server may stop operating if the Run As service account attempts to access a file that has been deleted.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H - 7.1 High
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium

Summary:

Tableau Server fails to invalidate caches that are used by the ISMEMBEROF function.

Impact:

A user that has been removed from a group will still be able to see data in a workbook or data source that filters the data based on ISMEMBEROF.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This vulnerability may be mitigated by restarting Tableau Server after removing a member from a group.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2
  • Tableau Server on Linux 2109.3.0

 

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2
  • Tableau Server on Linux 2019.3.0

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3
  • Tableau Server on Windows 2019.3.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.