Highest overall severity: Medium


Summary:

Tableau Server fails to properly construct MDX queries when using filters that are user controlled.


Impact:

Tableau Server may improperly interpet a filter identifier, which may result in a query that fails to complete or a query that runs against a different cube. In cases where the filter is controllable by a user that would not normally be able to make arbitrary queries against the datasource this can lead to information disclosure.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L - 5.9 Medium
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1.0 through 2019.1.9
  • Tableau Server on Linux 2019.2.0 through 2019.2.5
  • Tableau Server on Linux 2019.3.0 through 2019.3.1
  • Tableau Server on Linux 2019.4.0 through 2019.4.0

  • Tableau Server on Windows 10.3.0 through 10.3.X - will not be fixed
  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1.0 through 2019.1.9
  • Tableau Server on Windows 2019.2.0 through 2019.2.5
  • Tableau Server on Windows 2019.3.0 through 2019.3.1
  • Tableau Server on Windows 2019.4.0 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.