Skip navigation
2020

Highest overall severity: High


Summary:

In certain scenarios a flow running in Prep Conductor will use the wrong OAuth credentials when authenticating to a data source.


Impact:

A malicious flow can be constructed that can use the wrong credentials to retreive data from a data source that the flow owner does not have access to.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - 7.7 High
Product Specific Notes: This only affects Tableau Server instances with the Data Management Add-On which includes the Prep Conductor feature.

Vulnerable versions:

  • Tableau Server on Linux 2019.3.0 through 2019.3.4
  • Tableau Server on Linux 2019.4.0 through 2019.4.3

  • Tableau Server on Windows 2019.3.0 through 2019.3.4
  • Tableau Server on Windows 2019.4.0 through 2019.4.3


Resolved in versions:

  • Tableau Server on Linux 2019.3.5
  • Tableau Server on Linux 2019.4.4

  • Tableau Server on Windows 2019.3.5
  • Tableau Server on Windows 2019.4.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

When a dashboard is configured with a button to go to another sheet, the target sheet permissions are ignored for the current user. This scenario may occur if the workbook has been configured to "Hide Tabs," which sets explicit view permissions, rather than inheriting permissions from the workbook.


Impact:

A user that has access to a dashboard can also navigate to a sheet within that workbook, that they may not have access to.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2018.3.0 through 2018.3.14
  • Tableau Server on Linux 2019.1.0 through 2019.1.12
  • Tableau Server on Linux 2019.2.0 through 2019.2.8
  • Tableau Server on Linux 2019.3.0 through 2019.3.4
  • Tableau Server on Linux 2019.4.0 through 2019.4.3
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 2018.3.0 through 2018.3.14
  • Tableau Server on Windows 2019.1.0 through 2019.1.12
  • Tableau Server on Windows 2019.2.0 through 2019.2.8
  • Tableau Server on Windows 2019.3.0 through 2019.3.4
  • Tableau Server on Windows 2019.4.0 through 2019.4.3
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 2018.3.15
  • Tableau Server on Linux 2019.1.13
  • Tableau Server on Linux 2019.2.9
  • Tableau Server on Linux 2019.3.5
  • Tableau Server on Linux 2019.4.4
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 2018.3.15
  • Tableau Server on Windows 2019.1.13
  • Tableau Server on Windows 2019.2.9
  • Tableau Server on Windows 2019.3.5
  • Tableau Server on Windows 2019.4.4
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server logs the internal secret used to authenticate internal service requests when the logl.level is set to Debug. The log.level is set to Info by default and the internal secret is generated at install time.


Impact:

An attacker with access to the log file can make internal service requests.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium
Product Specific Notes: None

Vulnerable versions:

  • Tableau Server on Linux 2019.3.0 through 2019.3.4
  • Tableau Server on Linux 2019.4.0 through 2019.4.3

  • Tableau Server on Windows 2019.3.0 through 2019.3.4
  • Tableau Server on Windows 2019.4.0 through 2019.4.3


Resolved in versions:

  • Tableau Server on Linux 2019.3.5
  • Tableau Server on Linux 2019.4.4

  • Tableau Server on Windows 2019.3.5
  • Tableau Server on Windows 2019.4.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page. This is the same issue described in ADV-2019-047. The previous fix was incomplete.

The following CVEs have been addressed:


Impact:

A Tableau Server user who clicks on a malicious link could initiate a reflected cross-site scripting (XSS) operation with JavaScript, which runs in the client context. Alternatively, a Tableau Server user who clicks on a malicious link could be redirected to an attacker-controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.23
  • Tableau Server on Linux 2018.1.0 through 2018.1.20
  • Tableau Server on Linux 2018.2.0 through 2018.2.17
  • Tableau Server on Linux 2018.3.0 through 2018.3.14
  • Tableau Server on Linux 2019.1.0 through 2019.1.12
  • Tableau Server on Linux 2019.2.0 through 2019.2.8
  • Tableau Server on Linux 2019.3.0 through 2019.3.4
  • Tableau Server on Linux 2019.4.0 through 2019.4.3

  • Tableau Server on Windows 10.4.0 through 10.4.24
  • Tableau Server on Windows 10.5.0 through 10.5.23
  • Tableau Server on Windows 2018.1.0 through 2018.1.20
  • Tableau Server on Windows 2018.2.0 through 2018.2.17
  • Tableau Server on Windows 2018.3.0 through 2018.3.14
  • Tableau Server on Windows 2019.1.0 through 2019.1.12
  • Tableau Server on Windows 2019.2.0 through 2019.2.8
  • Tableau Server on Windows 2019.3.0 through 2019.3.4
  • Tableau Server on Windows 2019.4.0 through 2019.4.3


Resolved in versions:

  • Tableau Server on Linux 10.5.24
  • Tableau Server on Linux 2018.1.21
  • Tableau Server on Linux 2018.2.18
  • Tableau Server on Linux 2018.3.15
  • Tableau Server on Linux 2019.1.13
  • Tableau Server on Linux 2019.2.9
  • Tableau Server on Linux 2019.3.5
  • Tableau Server on Linux 2019.4.4

  • Tableau Server on Windows 10.4.25
  • Tableau Server on Windows 10.5.24
  • Tableau Server on Windows 2018.1.21
  • Tableau Server on Windows 2018.2.18
  • Tableau Server on Windows 2018.3.15
  • Tableau Server on Windows 2019.1.13
  • Tableau Server on Windows 2019.2.9
  • Tableau Server on Windows 2019.3.5
  • Tableau Server on Windows 2019.4.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

When using Tableau Prep Builder to connect to published datasources, sensitive information is logged to the application log files. This is the same issue as described in ADV-2019-038. The fix in ADV-2019-038 was incorrectly applied to Tableau Server 2018.1.


Impact:

An attacker with access to the application log files can learn tokens that can be used to authenticate to Tableau Server.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium
Product Specific Notes: For Tableau Server on Windows 2018.1 and Tableau Server on Linux 2018.1 the information will only  appear in the application logs under certain conditions: a vulnerable version of Tableau Prep Builder must be used  to connect to the published datasource on that specific Tableau Server instance. Only the application logs on that  specific Tableau Server instance will include the information. See ADV-2019-038 for the list of vulnerable Tableau Prep Builder versions.

Vulnerable versions:

  • Tableau Server on Linux 2018.1.0 through 2018.1.20

  • Tableau Server on Windows 2018.1.0 through 2018.1.20


Resolved in versions:

  • Tableau Server on Linux 2018.1.21

  • Tableau Server on Windows 2018.1.21


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.