Highest overall severity: Medium


Summary:

When a dashboard is configured with a button to go to another sheet, the target sheet permissions are ignored for the current user. This scenario may occur if the workbook has been configured to "Hide Tabs," which sets explicit view permissions, rather than inheriting permissions from the workbook.


Impact:

A user that has access to a dashboard can also navigate to a sheet within that workbook, that they may not have access to.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 5.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2018.3.0 through 2018.3.14
  • Tableau Server on Linux 2019.1.0 through 2019.1.12
  • Tableau Server on Linux 2019.2.0 through 2019.2.8
  • Tableau Server on Linux 2019.3.0 through 2019.3.4
  • Tableau Server on Linux 2019.4.0 through 2019.4.3
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 2018.3.0 through 2018.3.14
  • Tableau Server on Windows 2019.1.0 through 2019.1.12
  • Tableau Server on Windows 2019.2.0 through 2019.2.8
  • Tableau Server on Windows 2019.3.0 through 2019.3.4
  • Tableau Server on Windows 2019.4.0 through 2019.4.3
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 2018.3.15
  • Tableau Server on Linux 2019.1.13
  • Tableau Server on Linux 2019.2.9
  • Tableau Server on Linux 2019.3.5
  • Tableau Server on Linux 2019.4.4
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 2018.3.15
  • Tableau Server on Windows 2019.1.13
  • Tableau Server on Windows 2019.2.9
  • Tableau Server on Windows 2019.3.5
  • Tableau Server on Windows 2019.4.4
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.