Skip navigation

Highest overall severity: Medium

 

Summary:

Tableau Server fails to properly validate the path that is presented on an embedded view authentication page.

 

Impact:

A Tableau Server user that clicks on a malicious link and completes a login will be redirected to an attacker controlled location.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

 

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

  • Tableau Server on Windows 10.3 through 10.3.24
  • Tableau Server on Windows 10.4 through 10.4.20
  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.3.25
  • Tableau Server on Windows 10.4.21
  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

File paths of temporary files are included in the user-facing error messages after a publishing attempt fails.

 

Impact:

Users can learn some information about the Tableau Server file hierarchy.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

 

  • Tableau Server on Windows 10.3 through 10.3.24
  • Tableau Server on Windows 10.4 through 10.4.20
  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.3.25
  • Tableau Server on Windows 10.4.21
  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

HTML chacaters are not properly encoded in the subscription emails that are sent from Tableau Server.

 

Impact:

Users on Tableau Server can craft phishing emails to other Tableau Server users.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.19
  • Tableau Server on Linux 2018.1 through 2018.1.16
  • Tableau Server on Linux 2018.2 through 2018.2.13
  • Tableau Server on Linux 2018.3 through 2018.3.10
  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

  • Tableau Server on Windows 10.5 through 10.5.19
  • Tableau Server on Windows 2018.1 through 2018.1.16
  • Tableau Server on Windows 2018.2 through 2018.2.13
  • Tableau Server on Windows 2018.3 through 2018.3.10
  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 10.5.20
  • Tableau Server on Linux 2018.1.17
  • Tableau Server on Linux 2018.2.14
  • Tableau Server on Linux 2018.3.11
  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.5.20
  • Tableau Server on Windows 2018.1.17
  • Tableau Server on Windows 2018.2.14
  • Tableau Server on Windows 2018.3.11
  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium

 

Summary:

Some API calls do not perform proper encoding when returning thumbnails associated with a published flow.

 

Impact:

When a Tableau Server user clicks a malicious link, JavaScript will run in the context of their browser session .

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N - 6.8 Medium
Product Specific Notes: This only affects Tableau Server with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.7
  • Tableau Server on Linux 2019.2 through 2019.2.3
  • Tableau Server on Linux 2019.3

 

  • Tableau Server on Windows 2019.1 through 2019.1.7
  • Tableau Server on Windows 2019.2 through 2019.2.3
  • Tableau Server on Windows 2019.3

 

Resolved in versions:

  • Tableau Server on Linux 2019.1.8
  • Tableau Server on Linux 2019.2.4
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.8
  • Tableau Server on Windows 2019.2.4
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.