Skip navigation
1 2 Previous Next

Security Bulletins

28 Posts authored by: Joseph Salowey Employee

Highest overall severity: Medium


Summary:

An unspecified API does not protect the user from cross-site request forgery.


Impact:

An attacker who is able to persuade a victim to visit a malicious website can change a setting for a user on Tableau Server.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.10
  • Tableau Server on Linux 2019.2 through 2019.2.6
  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.10
  • Tableau Server on Windows 2019.2 through 2019.2.6
  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.11
  • Tableau Server on Linux 2019.2.7
  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.11
  • Tableau Server on Windows 2019.2.7
  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Extracts created on Tableau Server with web authoring are not encrypted even if "Encrypted" was selected.


Impact:

Extracts that Tableau Server reports as encrypted are stored in plaintext.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N - 4.7 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Unspecified APIs allow for a user with access to a particular sheet to see all datasource fields in the related workbook.


Impact:

A Tableau Server user can learn the existenice of datasource field names that they do not have access to.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

An unspecified API lacks proper input validation that can result in files being written to an attacker-controlled location.


Impact:

Overwriting files may result in Tableau Server failing to operate.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - 6.5 Medium
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server uses the Java JRE. The October 2019 update to the Java JRE contained an unspecified Medium severity issue (CVE-2019-2958) that might present a risk to Tableau Server. We have upgraded to the October 2019 release of the JRE that contains fixes for other CVEs as well.

 

The following CVEs have been addressed:

 

 


Impact:
From https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server
Severity: Medium
CVSS3 Score: AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N - 5.3 Medium
Product Specific Notes: None.
Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.21
  • Tableau Server on Linux 2018.1 through 2018.1.18
  • Tableau Server on Linux 2018.2 through 2018.2.15
  • Tableau Server on Linux 2018.3 through 2018.3.12
  • Tableau Server on Linux 2019.1 through 2019.1.10
  • Tableau Server on Linux 2019.2 through 2019.2.6
  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 10.4 through 10.4.22
  • Tableau Server on Windows 10.5 through 10.5.21
  • Tableau Server on Windows 2018.1 through 2018.1.18
  • Tableau Server on Windows 2018.2 through 2018.2.15
  • Tableau Server on Windows 2018.3 through 2018.3.12
  • Tableau Server on Windows 2019.1 through 2019.1.10
  • Tableau Server on Windows 2019.2 through 2019.2.6
  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 10.5.22
  • Tableau Server on Linux 2018.1.19
  • Tableau Server on Linux 2018.2.16
  • Tableau Server on Linux 2018.3.13
  • Tableau Server on Linux 2019.1.11
  • Tableau Server on Linux 2019.2.7
  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 10.4.23
  • Tableau Server on Windows 10.5.22
  • Tableau Server on Windows 2018.1.19
  • Tableau Server on Windows 2018.2.16
  • Tableau Server on Windows 2018.3.13
  • Tableau Server on Windows 2019.1.11
  • Tableau Server on Windows 2019.2.7
  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Information that the current user does not have access to is obfuscated and displayed as "Permission Required." However, this information is presented in the sorted order based on the unobfuscated name. For more information, see "Manage Permissions for External Assets" (Windows | Linux).


Impact:

A Tableau Server user might be able to deduce the name of the obfuscated item based on the position in the sorted list.

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This only occurs on Tableau Server installs with the Data Management add-on.

Vulnerable versions:

  • Tableau Server on Linux 2019.3 through 2019.3.2
  • Tableau Server on Linux 2019.4 through 2019.4.0

  • Tableau Server on Windows 2019.3 through 2019.3.2
  • Tableau Server on Windows 2019.4 through 2019.4.0


Resolved in versions:

  • Tableau Server on Linux 2019.3.3
  • Tableau Server on Linux 2019.4.1

  • Tableau Server on Windows 2019.3.3
  • Tableau Server on Windows 2019.4.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that use user functions inside a join calculation may not properly filter data the first time a view is loaded.


Impact:

A user with access to a published workbook can see unfiltered data for another user in the same workbook. A malicious user cannot exploit this vulnerability.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:N A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3
  • Tableau Server on Windows 2019.2

 

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3
  • Tableau Server on Linux 2019.2


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4
  • Tableau Server on Windows 2019.2.1

 

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server SAML implementation fails to properly validate the final destination URL.


Impact:

A Tableau Server user that clicks on a malicious link and completes a SAML login will be redirected to an attacker controlled location. No SAML request or response is sent to the final location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:N UI:R S:U C:N I:L A:N - 4.3 Medium
Product specific notes:
       This only affects Tableau Server instances configured with Server-Wide SAML


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3
  • Tableau Server on Windows 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3
  • Tableau Server on Linux 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4
  • Tableau Server on Windows 2019.2.1

 

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected. - Tableau Reader 10.0


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that use user functions inside a context filter may not properly filter data the first time a view is loaded due to a caching issue.


Impact:

A user with access to a published workbook can see unfiltered data for another user resulting in information disclosure within that same workbook. A malicious user cannot directly force this to happen.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected. - Tableau Bridge 10.0


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

A workbook published to Tableau Server with a datasource that has been set to "Publish Separately" and an authentication choice of "Prompt" will publish in an unexpected way. The separate datasource will be published with authentication set to "Prompt". However, the workbook will be published with a connection to the new datasource and the authentication is set to "Embedded Password".


Impact:

A Tableau Server user that has access to the workbook will be able to open the workbook and use the embedded credentials to connect to the datasource.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:N A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Desktop on Windows 10.2 through 10.2.20
  • Tableau Desktop on Windows 10.3 through 10.3.20
  • Tableau Desktop on Windows 10.4 through 10.4.16
  • Tableau Desktop on Windows 10.5 through 10.5.15
  • Tableau Desktop on Windows 2018.1 through 2018.1.12
  • Tableau Desktop on Windows 2018.2 through 2018.2.9
  • Tableau Desktop on Windows 2018.3 through 2018.3.6
  • Tableau Desktop on Windows 2019.1 through 2019.1.3

  • Tableau Desktop on Mac 10.2 through 10.2.20
  • Tableau Desktop on Mac 10.3 through 10.3.20
  • Tableau Desktop on Mac 10.4 through 10.4.16
  • Tableau Desktop on Mac 10.5 through 10.5.15
  • Tableau Desktop on Mac 2018.1 through 2018.1.12
  • Tableau Desktop on Mac 2018.2 through 2018.2.9
  • Tableau Desktop on Mac 2018.3 through 2018.3.6
  • Tableau Desktop on Mac 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Desktop on Windows 10.2.21
  • Tableau Desktop on Windows 10.3.21
  • Tableau Desktop on Windows 10.4.17
  • Tableau Desktop on Windows 10.5.16
  • Tableau Desktop on Windows 2018.1.13
  • Tableau Desktop on Windows 2018.2.10
  • Tableau Desktop on Windows 2018.3.7
  • Tableau Desktop on Windows 2019.1.4

  • Tableau Desktop on Mac 10.2.21
  • Tableau Desktop on Mac 10.3.21
  • Tableau Desktop on Mac 10.4.17
  • Tableau Desktop on Mac 10.5.16
  • Tableau Desktop on Mac 2018.1.13
  • Tableau Desktop on Mac 2018.2.10
  • Tableau Desktop on Mac 2018.3.7
  • Tableau Desktop on Mac 2019.1.4


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server generates an error page that contains a user-supplied string.


Impact:

A user that clicks on a link will be presented an error message that contains a string entered by another user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium

CVSS3 Score: AV:N AC:L PR:N UI:R S:C C:N I:L A:N - 4.7 Medium


Vulnerable versions:

  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Reader (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.

Severity: Medium

 

Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.

 

Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1

Summary: Tableau Software has confirmed that currently supported versions of Tableau Server are not impacted by CVE-2017-12615, CVE-2017-12616 or CVE-2017-12617. 

 

Tableau Server uses a vulnerable version of Apache Tomcat, but the implementation does not set the readonly initialization parameter, as specified in CVE-2017-12615 and CVE-2017-12617.   Additionally, Tableau Server does not implement VirtualDirContexts as specified in CVE-2017-12616. 

 

Apache Tomcat will be updated to a later version in a future maintenance release.  

Severity: High

 

Summary: Tableau Desktop and Tableau server uses a version of FlexNet Publisher that contains a vulnerability. The vulnerability can be exploited by malicious, local users on Windows systems.

 

Impact: Attackers may gain elevated privileges on the computer running Tableau Desktop for Windows or on Tableau Server.

Vulnerable Versions: Tableau Desktop for Windows and Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2) and 10.4.0.

 

Mitigation: None.

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server and Tableau Desktop 9.0.24

Tableau Server and Tableau Desktop 9.1.21

Tableau Server and Tableau Desktop 9.2.20

Tableau Server and Tableau Desktop 9.3.18

Tableau Server and Tableau Desktop 10.0.13

Tableau Server and Tableau Desktop 10.1.11

Tableau Server and Tableau Desktop 10.2.5

Tableau Server and Tableau Desktop 10.3.3

Tableau Server and Tableau Desktop 10.4.1

 

More information: https://nvd.nist.gov/vuln/detail/CVE-2016-10395

 

Updates:

 

9/20/17 - corrected Resolution to include Tableau Desktop

9/25/17 - added 10.4 to the Vulnerable Versions List

10/18/17 - updated Resolution to include versions 9.0-9.3

11/9/17 - updated Resolution to include version 10.4

Severity: Medium

 

Summary: The latest release of Tableau Server includes an updated version of Apache HTTPD (2.4.26). Apache HTTPD 2.4.26 fixes five vulnerabilities. Specifically, Apache HTTPD 2.4.26 fixes a MIME overread vulnerability (CVE-2017-7679) that exposes the potential to disclose sensitive information.

 

Impact: A malicious exploit of the MIME overread vulnerability could result in sensitive information disclosure.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 9.0.24

Tableau Server 9.1.21

Tableau Server 9.2.20

Tableau Server 9.3.18

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

 

More information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679

 

Updates:

10/18/2017 - updated resolution to include fixes in 9.0 through 9.3