Skip navigation
2019

Highest overall severity: Medium

 

Summary:

When using Tableau Prep Builder and Tableau Prep Conductor to connect to published datasources sensitive information is logged to the application log files.

 

Impact:

An attacker with access to the application log files can learn tokens that can be used to authenticate to Tableau Server.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium

 

Product Specific Notes:

For Tableau Server on Windows 10.3 - 2019.2 and Tableau Server on Linux 10.5 - 2019.2 the information will only appear in the application logs under certain conditions: a vulnerable version of Tableau Prep Builder must be used to connect to the published datasource on that specific Tableau Server instance. Only the application logs on that specific Tableau Server instance will include the information. However, for Tableau Server on Windows 2019.3 and Tableau Server on Linux 2019.3 the information will appear in the logs if a vulnerable version of Tableau Prep Builder is used to connect to a published datasource. Additionally, the information will appear if a flow is run on Tableau Server using Tableau Prep Conductor that connects to a published datasource. In this case, the disclosed tokens are only valid while the flow is running. After the flow has stopped running, the tokens are invalidated.

 

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.20
  • Tableau Server on Linux 2018.1 through 2018.1.17
  • Tableau Server on Linux 2018.2 through 2018.2.14
  • Tableau Server on Linux 2018.3 through 2108.3.11
  • Tableau Server on Linux 2019.1 through 2109.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3

  • Tableau Server on Windows 10.3 through 10.3.25
  • Tableau Server on Windows 10.4 through 10.4.21
  • Tableau Server on Windows 10.5 through 10.5.20
  • Tableau Server on Windows 2018.1 through 2018.1.17
  • Tableau Server on Windows 2108.2 through 2018.2.14
  • Tableau Server on Windows 2018.3 through 2018.3.11
  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.21
  • Tableau Server on Linux 2018.1.18
  • Tableau Server on Linux 2018.2.15
  • Tableau Server on Linux 2018.3.12
  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.3.26
  • Tableau Server on Windows 10.4.22
  • Tableau Server on Windows 10.5.21
  • Tableau Server on Windows 2018.1.18
  • Tableau Server on Windows 2018.2.15
  • Tableau Server on Windows 2018.3.12
  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium

 

Product Specific Notes:

Using the vulnerable version of Tableau Prep Builder to connect to published datasources can cause the sensitive tokens to appear in the logs of the Tableau Server instance hosting the published datasource. The tokens are only valid while Prep Builder is running. When the client closes, Prep Builder attempts to invalidate them on the server.

 

Vulnerable versions:

  • Tableau Prep on Mac 2019.3.1 through 2019.3.1 (Build number 19.31.19.0826.1052)

  • Tableau Prep on Windows 2019.3.1 through 2019.3.1 (Build number 19.31.19.0826.1052)

 

Resolved in versions:

  • Tableau Prep on Mac 2019.3.1 (Build number 19.31.19.0923.1415)

  • Tableau Prep on Windows 2019.3.1 (Build number 19.31.19.0923.1415)

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

Tableau workbooks with specific embedded parameters that are published to Tableau Server may cause an XSS vulnerability in Tableau Server.

 

Impact:

When users open a modified workbook in Tableau Server and click on embedded text, arbitrary Javascript can run in their browser session.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N - 6.8 Medium

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3

  • Tableau Server on Windows 10.3 through 10.3.24
  • Tableau Server on Windows 10.4 through 10.4.20
  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4

  • Tableau Server on Windows 10.3.25
  • Tableau Server on Windows 10.4.21
  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

Workbooks on the same site that share a large number of similar features can be improperly cached.

 

Impact:

Users on a site can see a cached view of a similar workbook that they do not have access to.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium

Vulnerable versions:

  • Tableau Server on Linux 2019.2 through 2019.2.3

  • Tableau Server on Windows 2019.2 through 2019.2.3

 

Resolved in versions:

  • Tableau Server on Linux 2019.2.4

  • Tableau Server on Windows 2019.2.4

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: High

 

Summary:

Tableau Server uses the Java JRE. The April 2019 update to the Java JRE contained an unspecified High severity issue (CVE-2019-2699) that might present a risk to Tableau Server. We have upgraded to the July 2019 release of the JRE that contains fixes for other CVEs as well.
The following CVEs have been addressed:

 

Impact:

From https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - 8.1 High

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

  • Tableau Server on Windows 10.3 through 10.3.24
  • Tableau Server on Windows 10.4 through 10.4.20
  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.3.25
  • Tableau Server on Windows 10.4.21
  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 Medium

Vulnerable versions:

  • Tableau Prep on Mac 2018.1.1 through 2019.3.1

  • Tableau Prep on Windows 2018.1.1 through 2019.3.1

 

Resolved in versions:

  • Tableau Prep on Mac 2019.3.2

  • Tableau Prep on Windows 2019.3.2

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.