Skip navigation

Security Bulletins

3 Posts authored by: Jason Copenhaver Employee

Highest overall severity: High


Summary:

Various memory corruption issues exist in Tableau products.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 High
Product Specific Notes: An authenticated user who is able to publish a workbook to Tableau Server can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.24
  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 10.4.0 through 10.4.25
  • Tableau Server on Windows 10.5.0 through 10.5.24
  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 10.5.25
  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 10.4.26
  • Tableau Server on Windows 10.5.25
  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Desktop on Mac 10.4.0 through 10.4.25
  • Tableau Desktop on Mac 10.5.0 through 10.5.24
  • Tableau Desktop on Mac 2018.1.0 through 2018.1.21
  • Tableau Desktop on Mac 2018.2.0 through 2018.2.18
  • Tableau Desktop on Mac 2018.3.0 through 2018.3.15
  • Tableau Desktop on Mac 2019.1.0 through 2019.1.13
  • Tableau Desktop on Mac 2019.2.0 through 2019.2.9
  • Tableau Desktop on Mac 2019.3.0 through 2019.3.5
  • Tableau Desktop on Mac 2019.4.0 through 2019.4.4
  • Tableau Desktop on Mac 2020.1.0 through 2020.1.1

  • Tableau Desktop on Windows 10.4.0 through 10.4.25
  • Tableau Desktop on Windows 10.5.0 through 10.5.24
  • Tableau Desktop on Windows 2018.1.0 through 2018.1.21
  • Tableau Desktop on Windows 2018.2.0 through 2018.2.18
  • Tableau Desktop on Windows 2018.3.0 through 2018.3.15
  • Tableau Desktop on Windows 2019.1.0 through 2019.1.13
  • Tableau Desktop on Windows 2019.2.0 through 2019.2.9
  • Tableau Desktop on Windows 2019.3.0 through 2019.3.5
  • Tableau Desktop on Windows 2019.4.0 through 2019.4.4
  • Tableau Desktop on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Desktop on Mac 10.4.26
  • Tableau Desktop on Mac 10.5.25
  • Tableau Desktop on Mac 2018.1.22
  • Tableau Desktop on Mac 2018.2.19
  • Tableau Desktop on Mac 2018.3.16
  • Tableau Desktop on Mac 2019.1.14
  • Tableau Desktop on Mac 2019.2.10
  • Tableau Desktop on Mac 2019.3.6
  • Tableau Desktop on Mac 2019.4.5
  • Tableau Desktop on Mac 2020.1.2

  • Tableau Desktop on Windows 10.4.26
  • Tableau Desktop on Windows 10.5.25
  • Tableau Desktop on Windows 2018.1.22
  • Tableau Desktop on Windows 2018.2.19
  • Tableau Desktop on Windows 2018.3.16
  • Tableau Desktop on Windows 2019.1.14
  • Tableau Desktop on Windows 2019.2.10
  • Tableau Desktop on Windows 2019.3.6
  • Tableau Desktop on Windows 2019.4.5
  • Tableau Desktop on Windows 2020.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious flow can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Prep on Mac 2018.1.1 through 2020.1.5

  • Tableau Prep on Windows 2018.1.1 through 2020.1.5


Resolved in versions:

  • Tableau Prep on Mac 2018.1.1 through 2020.2.1

  • Tableau Prep on Windows 2018.1.1 through 2020.2.1


Tableau Reader(Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product Specific Notes: Opening a malicious workbook can trigger this vulnerability. During our analysis, we have determined the ability to exploit this vulnerability is unlikely.

Vulnerable versions:

  • Tableau Reader on Mac 10.4 through 2020.1.0

  • Tableau Reader on Windows 10.4 through 2020.1.0


Resolved in versions:

  • Tableau Reader on Mac 2020.1.2

  • Tableau Reader on Windows 2020.1.2


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - 7.5 High
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Public Desktop on Mac 10.4 through 2020.1.0

  • Tableau Public Desktop on Windows 10.4 through 2020.1.0


Resolved in versions:

  • Tableau Public Desktop on Mac 2020.1.2

  • Tableau Public Desktop on Windows 2020.1.2

Highest overall severity: Medium


Summary:

When a Data Driven Alert triggers, Tableau Server fails to perform an access check on  each user to whom the alert is being sent.


Impact:

A user that has been added to the Data Driven Alert but who does not have access to the view will receive a thumbnail of the view.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the final destination URL during certain API calls.


Impact:

A Tableau Server user that clicks on a malicious link will be redirected to an attacker controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5.0 through 10.5.24
  • Tableau Server on Linux 2018.1.0 through 2018.1.21
  • Tableau Server on Linux 2018.2.0 through 2018.2.18
  • Tableau Server on Linux 2018.3.0 through 2018.3.15
  • Tableau Server on Linux 2019.1.0 through 2019.1.13
  • Tableau Server on Linux 2019.2.0 through 2019.2.9
  • Tableau Server on Linux 2019.3.0 through 2019.3.5
  • Tableau Server on Linux 2019.4.0 through 2019.4.4
  • Tableau Server on Linux 2020.1.0 through 2020.1.1

  • Tableau Server on Windows 10.4.0 through 10.4.25
  • Tableau Server on Windows 10.5.0 through 10.5.24
  • Tableau Server on Windows 2018.1.0 through 2018.1.21
  • Tableau Server on Windows 2018.2.0 through 2018.2.18
  • Tableau Server on Windows 2018.3.0 through 2018.3.15
  • Tableau Server on Windows 2019.1.0 through 2019.1.13
  • Tableau Server on Windows 2019.2.0 through 2019.2.9
  • Tableau Server on Windows 2019.3.0 through 2019.3.5
  • Tableau Server on Windows 2019.4.0 through 2019.4.4
  • Tableau Server on Windows 2020.1.0 through 2020.1.1


Resolved in versions:

  • Tableau Server on Linux 10.5.25
  • Tableau Server on Linux 2018.1.22
  • Tableau Server on Linux 2018.2.19
  • Tableau Server on Linux 2018.3.16
  • Tableau Server on Linux 2019.1.14
  • Tableau Server on Linux 2019.2.10
  • Tableau Server on Linux 2019.3.6
  • Tableau Server on Linux 2019.4.5
  • Tableau Server on Linux 2020.1.2

  • Tableau Server on Windows 10.4.26
  • Tableau Server on Windows 10.5.25
  • Tableau Server on Windows 2018.1.22
  • Tableau Server on Windows 2018.2.19
  • Tableau Server on Windows 2018.3.16
  • Tableau Server on Windows 2019.1.14
  • Tableau Server on Windows 2019.2.10
  • Tableau Server on Windows 2019.3.6
  • Tableau Server on Windows 2019.4.5
  • Tableau Server on Windows 2020.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.