Highest overall severity: High

 

Summary:

When creating Box datasources with Web Authoring, certain calls to Box are proxied through Tableau Server. Tableau Server does not properly validate all calls and as a result, malicious calls can be directed to locations other than Box.

 

Impact:

An authenticated Tableau Server user can cause Tableau Server to perform GET requests to arbitrary locations. Information that is authorized for access by Tableau Server (but not for the user) may be returned, resulting in information disclosure.

 

Mitigation:

This vulnerability can be mitigated by setting the features.VizqlServerCORSProxy flag to false.  Setting this flag to false will prevent the creation of new Box datasources in Web Authoring. To set the features.VizqlServerCORSProxy flag to false run the following commands: tsm configuration set -k features.VizqlServerCORSProxy -v false tsm pending-changes apply


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - 7.7 High
Product Specific Notes: None

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.