
[Important] ADV-2019-030: XXE Vulnerability in Tableau Products
Posted by Tyler Reeves
Highest overall severity: High
Summary:
An XXE vulnerability exists in Tableau products.
The following CVEs have been addressed:
Impact:
This vulnerability can result in information disclosure or denial of service.
Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.
Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High
Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability.
Vulnerable versions:
- Tableau Server on Linux 10.5 through 10.5.18
- Tableau Server on Linux 2018.1 through 2018.1.15
- Tableau Server on Linux 2018.2 through 2018.2.12
- Tableau Server on Linux 2018.3 through 2018.3.9
- Tableau Server on Linux 2019.1 through 2019.1.6
- Tableau Server on Linux 2019.2 through 2019.2.2
- Tableau Server on Windows 10.2 through 10.2.23
- Tableau Server on Windows 10.3 through 10.3.23
- Tableau Server on Windows 10.4 through 10.4.19
- Tableau Server on Windows 10.5 through 10.5.18
- Tableau Server on Windows 2018.1 through 2018.1.15
- Tableau Server on Windows 2018.2 through 2018.2.12
- Tableau Server on Windows 2018.3 through 2018.3.9
- Tableau Server on Windows 2019.1 through 2019.1.6
- Tableau Server on Windows 2019.2 through 2019.2.2
Resolved in versions:
- Tableau Server on Linux 10.5.19
- Tableau Server on Linux 2018.1.16
- Tableau Server on Linux 2018.2.13
- Tableau Server on Linux 2018.3.10
- Tableau Server on Linux 2019.1.7
- Tableau Server on Linux 2019.2.3
- Tableau Server on Windows 10.2.24
- Tableau Server on Windows 10.3.24
- Tableau Server on Windows 10.4.20
- Tableau Server on Windows 10.5.19
- Tableau Server on Windows 2018.1.16
- Tableau Server on Windows 2018.2.13
- Tableau Server on Windows 2018.3.10
- Tableau Server on Windows 2019.1.7
- Tableau Server on Windows 2019.2.3
Tableau Desktop (Back to top of page)
Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks, data sources, or extensions may trigger this vulnerability.
Vulnerable versions:
- Tableau Desktop on Mac 10.2 through 10.2.23
- Tableau Desktop on Mac 10.3 through 10.3.23
- Tableau Desktop on Mac 10.4 through 10.4.19
- Tableau Desktop on Mac 10.5 through 10.5.18
- Tableau Desktop on Mac 2018.1 through 2018.1.15
- Tableau Desktop on Mac 2018.2 through 2018.2.12
- Tableau Desktop on Mac 2018.3 through 2018.3.9
- Tableau Desktop on Mac 2019.1 through 2019.1.6
- Tableau Desktop on Mac 2019.2 through 2019.2.2
- Tableau Desktop on Windows 10.2 through 10.2.23
- Tableau Desktop on Windows 10.3 through 10.3.23
- Tableau Desktop on Windows 10.4 through 10.4.19
- Tableau Desktop on Windows 10.5 through 10.5.18
- Tableau Desktop on Windows 2018.1 through 2018.1.15
- Tableau Desktop on Windows 2018.2 through 2018.2.12
- Tableau Desktop on Windows 2018.3 through 2018.3.9
- Tableau Desktop on Windows 2019.1 through 2019.1.6
- Tableau Desktop on Windows 2019.2 through 2019.2.2
Resolved in versions:
- Tableau Desktop on Mac 10.2.24
- Tableau Desktop on Mac 10.3.24
- Tableau Desktop on Mac 10.4.20
- Tableau Desktop on Mac 10.5.19
- Tableau Desktop on Mac 2018.1.16
- Tableau Desktop on Mac 2018.2.13
- Tableau Desktop on Mac 2018.3.10
- Tableau Desktop on Mac 2019.1.7
- Tableau Desktop on Mac 2019.2.3
- Tableau Desktop on Windows 10.2.24
- Tableau Desktop on Windows 10.3.24
- Tableau Desktop on Windows 10.4.20
- Tableau Desktop on Windows 10.5.19
- Tableau Desktop on Windows 2018.1.16
- Tableau Desktop on Windows 2018.2.13
- Tableau Desktop on Windows 2018.3.10
- Tableau Desktop on Windows 2019.1.7
- Tableau Desktop on Windows 2019.2.3
Tableau Bridge (Back to top of page)
Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.
Tableau Prep Builder (Back to top of page)
Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.
Tableau Reader (Back to top of page)
Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.
Vulnerable versions:
- Tableau Reader on Mac 10.2 through 10.2.2
- Tableau Reader on Windows 10.2 through 10.2.2
Resolved in versions:
- Tableau Reader on Mac 2019.2.3
- Tableau Reader on Windows 2019.2.3
Tableau Mobile (Back to top of page)
Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.
Tableau Public Desktop (Back to top of page)
Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.
Vulnerable versions:
- Tableau Public Desktop on Mac 10.2 through 10.2.2
- Tableau Public Desktop on Windows 10.2 through 10.2.2
Resolved in versions:
- Tableau Public Desktop on Mac 2019.2.3
- Tableau Public Desktop on Windows 2019.2.3
Acknowledgement: Jarad Kopf of Deltek
Comments