Highest overall severity: Medium


Summary:

When calculating derived permissions on an object, Tableau Server asserts the user's highest access role across all sites. For example, in the case where a given user has different access roles across multiple sites hosted on the same Tableau Server, the process of calculating derived permissions will assert the user's highest access role for other sites on the server.


Impact:

Authenticated users on a site may be able to view content on the same site where the user does not have explicit authorization.


Mitigation:

Derived permissions can be disabled server-wide. For information about disabling derived permissions, see the Tableau Server help topic, "Manage Permissions for External Assets" (Windows | Linux).

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.3 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.