Skip navigation
2019

Highest overall severity: Medium


Summary:

An unspecified API does not protect the user from cross-site request forgery.


Impact:

An attacker who is able to persuade a victim to visit a malicious website can change a setting for a user on Tableau Server.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.10
  • Tableau Server on Linux 2019.2 through 2019.2.6
  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.10
  • Tableau Server on Windows 2019.2 through 2019.2.6
  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.11
  • Tableau Server on Linux 2019.2.7
  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.11
  • Tableau Server on Windows 2019.2.7
  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Extracts created on Tableau Server with web authoring are not encrypted even if "Encrypted" was selected.


Impact:

Extracts that Tableau Server reports as encrypted are stored in plaintext.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 4.7 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Unspecified APIs allow for a user with access to a particular sheet to see all datasource fields in the related workbook.


Impact:

A Tableau Server user can learn the existenice of datasource field names that they do not have access to.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

An unspecified API lacks proper input validation that can result in files being written to an attacker-controlled location.


Impact:

Overwriting files may result in Tableau Server failing to operate.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - 6.5 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server uses the Java JRE. The October 2019 update to the Java JRE contained an unspecified Medium severity issue (CVE-2019-2958) that might present a risk to Tableau Server. We have upgraded to the October 2019 release of the JRE that contains fixes for other CVEs as well.

 

The following CVEs have been addressed:

 

 


Impact:
From https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server
Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N - 5.3 Medium
Product Specific Notes: None.
Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.10
  • Tableau Server on Linux 2019.2 through 2019.2.6
  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.10
  • Tableau Server on Windows 2019.2 through 2019.2.6
  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.11
  • Tableau Server on Linux 2019.2.7
  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.11
  • Tableau Server on Windows 2019.2.7
  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Information that the current user does not have access to is obfuscated and displayed as "Permission Required." However, this information is presented in the sorted order based on the unobfuscated name. For more information, see "Manage Permissions for External Assets" (Windows | Linux).


Impact:

A Tableau Server user might be able to deduce the name of the obfuscated item based on the position in the sorted list.

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.