Skip navigation

Highest overall severity: Medium


Summary:

When calculating derived permissions on an object, Tableau Server asserts the user's highest access role across all sites. For example, in the case where a given user has different access roles across multiple sites hosted on the same Tableau Server, the process of calculating derived permissions will assert the user's highest access role for other sites on the server.


Impact:

Authenticated users on a site may be able to view content on the same site where the user does not have explicit authorization.


Mitigation:

Derived permissions can be disabled server-wide. For information about disabling derived permissions, see the Tableau Server help topic, "Manage Permissions for External Assets" (Windows | Linux).

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.3 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.1
  • Tableau Server on Linux 2019.4 through 2019.4 

  • Tableau Server on Windows 2019.3 through 2019.3.1
  • Tableau Server on Windows 2019.4 through 2019.4


Resolved in versions:

  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

 

  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server may incorrectly calculate derived permissions on views.


Impact:

Information such as workbook, project names, or view names may be disclosed to users without permissions to this content on the same site.


Mitigation:

Derived permissions can be disabled server-wide. For imformation about disabling derived permisions, see the Tableau Server help topic, "Manage Permissions for External Assets" (Windows|Linux).

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes:

This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.1
  • Tableau Server on Linux 2019.4 through 2019.4 

  • Tableau Server on Windows 2019.3 through 2019.3.1
  • Tableau Server on Windows 2019.4 through 2019.4


Resolved in versions:

  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

 

  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly construct MDX queries when using filters that are user controlled.


Impact:

Tableau Server may improperly interpet a filter identifier, which may result in a query that fails to complete or a query that runs against a different cube. In cases where the filter is controllable by a user that would not normally be able to make arbitrary queries against the datasource this can lead to information disclosure.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L - 5.9 Medium
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1.0 through 2019.1.9
  • Tableau Server on Linux 2019.2.0 through 2019.2.5
  • Tableau Server on Linux 2019.3.0 through 2019.3.1
  • Tableau Server on Linux 2019.4.0 through 2019.4.0

  • Tableau Server on Windows 10.3.0 through 10.3.X - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1.0 through 2019.1.9
  • Tableau Server on Windows 2019.2.0 through 2019.2.5
  • Tableau Server on Windows 2019.3.0 through 2019.3.1
  • Tableau Server on Windows 2019.4.0 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

When users attempt to publish workbooks on Tableau Server, they will get a distinctive error message if they attempt to publish a workbook to a project that does not exist. When users attempt to publish to an existing project, they will get a different error message if they do not have permission to publish to that project.


Impact:

A malicious user with publishing access may run a dictionary-style attack with the save-workbook operation to discover project names on Tableau Server.

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.9
  • Tableau Server on Linux 2019.2 through 2019.2.5
  • Tableau Server on Linux 2019.3 through 2019.3.1
  • Tableau Server on Linux 2019.4 through 2019.4

  • Tableau Server on Windows 10.3 through 10.3.26 - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.9
  • Tableau Server on Windows 2019.2 through 2019.2.5
  • Tableau Server on Windows 2019.3 through 2019.3.1
  • Tableau Server on Windows 2019.4 through 2019.4


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

 

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2109.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page.


Impact:

A Tableau Server user who clicks on a malicious link could initiate a reflected cross-site scripting (XSS) operation with JavaScript, which runs in the client context. Alternatively, a Tableau Server user who clicks on a malicious link could be redirected to an attacker-controlled location.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.3 through 10.3.26 - will not be fixed
  • Tableau Server on Linux 10.4 through 10.4.22
  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.9
  • Tableau Server on Linux 2019.2 through 2019.2.5
  • Tableau Server on Linux 2019.3 through 2019.3.1
  • Tableau Server on Linux 2019.4 through 2019.4 

  • Tableau Server on Windows 10.3 through 10.3.26 - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.9
  • Tableau Server on Windows 2019.2 through 2019.2.5
  • Tableau Server on Windows 2019.3 through 2019.3.1
  • Tableau Server on Windows 2019.4 through 2019.4


Resolved in versions:

  • Tableau Server on Linux 10.4.23
  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.