Highest overall severity: Medium


Summary:

Information that the current user does not have access to is obfuscated and displayed as "Permission Required." However, this information is presented in the sorted order based on the unobfuscated name. For more information, see "Manage Permissions for External Assets" (Windows | Linux).


Impact:

A Tableau Server user might be able to deduce the name of the obfuscated item based on the position in the sorted list.

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.