Highest overall severity: Medium

 

Summary:

The vizqlserver.script.disabled configuration option has no effect on Tableau Server.

 

Impact:

A Tableau Server instance that has external services configured but script.disabled set to true will still permit workbooks with custom scripts to execute.

 

Mitigation:

No fixes are planned for versions prior to 2019.3.

 

To mitigate this issue remove the port and host names from the configured external service.

 

For Tableau Server on Windows versions 10.3 through 2018.1, run the following commands

tabadmin set vizqlserver.extsvc.host ""

tabadmin set vizqlserver.extsvc.port ""

tabadmin restart

 

For Tableau Server (Windows or Linux) 2018.2 and 2018.3, run the following commands

tsm configuration set -k vizqlserver.extsvc.host -v ""

tsm configuration set -k vizqlserver.extsvc.port -v ""

tsm pending-changes apply

 

For Tableau Server (Windows or Linux) 2019.1 and later, run the following commands

tsm security vizql-extsvc-ssl disable

tsm pending-changes apply

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L - 5.0 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.X - will not be fixed
  • Tableau Server on Linux 2018.1 through 2018.1.X - will not be fixed
  • Tableau Server on Linux 2018.2 through 2018.2.X - will not be fixed
  • Tableau Server on Linux 2018.3 through 2018.3.X - will not be fixed
  • Tableau Server on Linux 2019.1 through 2019.1.X - will not be fixed
  • Tableau Server on Linux 2019.2 through 2019.2.X - will not be fixed
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 10.3 through 10.3.X - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.X - will not be fixed
  • Tableau Server on Windows 10.5 through 10.5.X - will not be fixed
  • Tableau Server on Windows 2018.1 through 2018.1.X - will not be fixed
  • Tableau Server on Windows 2018.2 through 2018.2.X - will not be fixed
  • Tableau Server on Windows 2018.3 through 2018.3.X - will not be fixed
  • Tableau Server on Windows 2019.1 through 2019.1.X - will not be fixed
  • Tableau Server on Windows 2019.2 through 2019.2.X - will not be fixed
  • Tableau Server on Windows 2019.3 through 2019.3.0

 

Resolved in versions:

  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.3.1

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.