Skip navigation
1 2 3 Previous Next

Security Bulletins

45 Posts authored by: Tyler Reeves Employee

Highest overall severity: Medium


Summary:

Users accessing Tableau Server with Web Editing may not be prompted to authenticate to a connected data source when accesing a workbook with embedded credentials.


Impact:

A user who has Web Edit permissions on a workbook with embedded credentials will be able to see fields that are not in the views. The user will also be able to perform queries against the datasource without having to authenticate.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server writes the complete SAML AuthnResponse to the log file when loglevel is set to debug. This happens for both site SAML and server-wide SAML scenarios.


Impact:

An attacker who can access the log file can attempt to replay the AuthnResponse. In some cases, replaying the AuthnResponse may allow an attacker to authenticate as a different user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7
  • Tableau Server on Windows 2019.1 through 2019.1.4
  • Tableau Server on Windows 2019.2 through 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7
  • Tableau Server on Linux 2019.1 through 2019.1.4
  • Tableau Server on Linux 2019.2 through 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8
  • Tableau Server on Windows 2019.1.5
  • Tableau Server on Windows 2019.2.1

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8
  • Tableau Server on Linux 2019.1.5
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

The debug logs that Tableau Mobile generates contain sensitive tokens such as the workgroupsessionid and access_token cookies.


Impact:

A person with access to these debug logs and access to the Tableau Server instance that they are associated with could use them to authenticate to the Tableau Server instance.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:R S:U C:H I:N A:N - 4.2 Medium

Vulnerable versions:

  • Tableau Mobile 19.225.1731 through 19.402.1795

Resolved in versions:

  • Tableau Mobile 19.430.1863


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server is upgrading to OpenSSL version 1.0.2r to address CVE-2019-1559.

While other Tableau products include OpenSSL, and are being upgraded as well, this attack can not be performed on those products. Only Tableau Server is vulnerable.


Impact:

An attacker that successfully exploits this vulnerability will be able to learn the contents of communication between Tableau Server and clients. This can include sensitive values such as cookies.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:H PR:N UI:N S:U C:H I:N A:N - 5.9 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.15
  • Tableau Server on Windows 10.5 through 10.5.14
  • Tableau Server on Windows 2018.1 through 2018.1.11
  • Tableau Server on Windows 2018.2 through 2018.2.8
  • Tableau Server on Windows 2018.3 through 2018.3.5
  • Tableau Server on Windows 2019.1 through 2019.1.2

  • Tableau Server on Linux 10.5 through 10.5.14
  • Tableau Server on Linux 2018.1 through 2018.1.11
  • Tableau Server on Linux 2018.2 through 2018.2.8
  • Tableau Server on Linux 2018.3 through 2018.3.5
  • Tableau Server on Linux 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.16
  • Tableau Server on Windows 10.5.15
  • Tableau Server on Windows 2018.1.12
  • Tableau Server on Windows 2018.2.9
  • Tableau Server on Windows 2018.3.6
  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 10.5.15
  • Tableau Server on Linux 2018.1.12
  • Tableau Server on Linux 2018.2.9
  • Tableau Server on Linux 2018.3.6
  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

Tableau Server fails to properly sanitize certain strings when rendering a published workbook, which results in a cross-site scripting vulnerability. An authenticated user with publishing permissions may publish a workbook to Tableau Server which can trigger this vulnerability.


Impact:

When users open the modified workbook with a specially crafted URL, arbitrary JavaScript can run in the browser session.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:H A:H - 8.0 High


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.15
  • Tableau Server on Windows 10.5 through 10.5.14
  • Tableau Server on Windows 2018.1 through 2018.1.11
  • Tableau Server on Windows 2018.2 through 2018.2.8
  • Tableau Server on Windows 2018.3 through 2018.3.5

  • Tableau Server on Linux 10.5 through 10.5.14
  • Tableau Server on Linux 2018.1 through 2018.1.11
  • Tableau Server on Linux 2018.2 through 2018.2.8
  • Tableau Server on Linux 2018.3 through 2018.3.5


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.16
  • Tableau Server on Windows 10.5.15
  • Tableau Server on Windows 2018.1.12
  • Tableau Server on Windows 2018.2.9
  • Tableau Server on Windows 2018.3.6

  • Tableau Server on Linux 10.5.15
  • Tableau Server on Linux 2018.1.12
  • Tableau Server on Linux 2018.2.9
  • Tableau Server on Linux 2018.3.6


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Sever logs the password used to authenticate to the SMTP server. The password is stored encrypted in the parameter, svcmonitor.notification.smtp.password. However, the password is logged in plaintext when an email is sent by Tableau Server.


Impact:

An attacker with access to the Tableau Server logs can learn the account and password used to authenticate to the SMTP server.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 2018.3.0 through 2018.3.5
  • Tableau Server on Windows 2019.1.0 through 2019.1.2

  • Tableau Server on Linux 2018.3.0 through 2018.3.5
  • Tableau Server on Linux 2019.1.0 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 2018.3.6
  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 2018.3.6
  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

OAuth accesstoken and refreshtoken are logged when connecting to certain data sources that use OAuth authentication.


Impact:

An attacker with access to Tableau Server logs can learn the accesstoken and refreshtoken and gain access to the target data source.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Server on Windows 2019.1 through 2019.1.2

  • Tableau Server on Linux 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Server on Windows 2019.1.3

  • Tableau Server on Linux 2019.1.3


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:N S:U C:H I:N A:N - 4.4 Medium
Product specific notes:
       When creating connections to certain data sources that use OAuth via Web Authoring, the accesstoken and refreshtoken will be logged.


Vulnerable versions:

  • Tableau Desktop on Windows 2019.1 through 2019.1.2

  • Tableau Desktop on Mac 2019.1 through 2019.1.2


Resolved in versions:

  • Tableau Desktop on Windows 2019.1.3

  • Tableau Desktop on Mac 2019.1.3


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

The Tableau Prep Builder CLI tool logs complete requests made to Tableau Server. The sign in request contains the username and password used to authenticate to Tableau Server when publishing a data source.


Impact:

Users with access to the Tableau Prep Builder CLI log files can learn the username and password used to authenticate to Tableau Server.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:L UI:N S:U C:H I:N A:N - 5.5 Medium
Product specific notes:


Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.3


Resolved in versions:

  • Tableau Prep Builder 2019.1.4


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

When a Web Data Connector (WDC) is added to Tableau Server the --secondary option can be used to specify a safe list of URLs. The safe list defines URLs that the WDC is allowed to make requests to or to receive data from. The resulting safe list is not evaluated when performing an "Incremental Refresh".


Impact:

A malicious WDC that has been added to a Tableau Server instance with a secondary safe list can make requests to any URL when an "Incremental Refresh" operation is performed.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:H UI:N S:C C:L I:L A:N - 5.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.14
  • Tableau Server on Windows 10.5 through 10.5.13
  • Tableau Server on Windows 2018.1 through 2018.1.10
  • Tableau Server on Windows 2018.2 through 2018.2.7
  • Tableau Server on Windows 2018.3 through 2018.3.4
  • Tableau Server on Windows 2019.1 through 2019.1.1

  • Tableau Server on Linux 10.5 through 10.5.13
  • Tableau Server on Linux 2018.1 through 2018.1.10
  • Tableau Server on Linux 2018.2 through 2018.2.7
  • Tableau Server on Linux 2018.3 through 2018.3.4
  • Tableau Server on Linux 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.15
  • Tableau Server on Windows 10.5.14
  • Tableau Server on Windows 2018.1.11
  • Tableau Server on Windows 2018.2.8
  • Tableau Server on Windows 2018.3.5
  • Tableau Server on Windows 2019.1.2

  • Tableau Server on Linux 10.5.14
  • Tableau Server on Linux 2018.1.11
  • Tableau Server on Linux 2018.2.8
  • Tableau Server on Linux 2018.3.5
  • Tableau Server on Linux 2019.1.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

Two CVEs related to NTLM authentication with libcurl are addressed.
CVE-2018-16890
CVE-2019-3822


Impact:

When using NTLM to authenticate to a web site there is a possibility of an out-of-bounds read and write. This could lead to remote code execution or a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5
Product specific notes:
       Opening a malicious workbook or connecting to a malicious Tableau Server instance can trigger this vulnerability.


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.1

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.1


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

A user connecting to a malicious Web Data Connector with Tableau Desktop on Mac can trigger a vulnerability.


Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.0 High


Vulnerable versions:

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18


Resolved in versions:

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High


Summary:

When Tableau Desktop publishes a workbook it generates thumbnails for the sheets and dashboards in that workbook. If the workbook connects to a published data source that includes user functions, then Tableau will generate thumbnails based on the access and group membership of the user who published the data source.


Impact:

A user who can view the thumbnail images for a workbook will be able to see a static image of the workbook as it existed at publishing time for the original user who published the data source. The thumbnail image may contain data that the viewer does not otherwise have permission to view.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:N A:N CR:H - 7.5 High


Vulnerable versions:

  • Tableau Desktop on Windows 10.1 through 10.1.22
  • Tableau Desktop on Windows 10.2 through 10.2.18
  • Tableau Desktop on Windows 10.3 through 10.3.18
  • Tableau Desktop on Windows 10.4 through 10.4.14
  • Tableau Desktop on Windows 10.5 through 10.5.13
  • Tableau Desktop on Windows 2018.1 through 2018.1.10
  • Tableau Desktop on Windows 2018.2 through 2018.2.7
  • Tableau Desktop on Windows 2018.3 through 2018.3.4
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

  • Tableau Desktop on Mac 10.1 through 10.1.22
  • Tableau Desktop on Mac 10.2 through 10.2.18
  • Tableau Desktop on Mac 10.3 through 10.3.18
  • Tableau Desktop on Mac 10.4 through 10.4.14
  • Tableau Desktop on Mac 10.5 through 10.5.13
  • Tableau Desktop on Mac 2018.1 through 2018.1.10
  • Tableau Desktop on Mac 2018.2 through 2018.2.7
  • Tableau Desktop on Mac 2018.3 through 2018.3.4
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)


Resolved in versions:

  • Tableau Desktop on Windows 10.1.23
  • Tableau Desktop on Windows 10.2.19
  • Tableau Desktop on Windows 10.3.19
  • Tableau Desktop on Windows 10.4.15
  • Tableau Desktop on Windows 10.5.14
  • Tableau Desktop on Windows 2018.1.11
  • Tableau Desktop on Windows 2018.2.8
  • Tableau Desktop on Windows 2018.3.5
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.1.23
  • Tableau Desktop on Mac 10.2.19
  • Tableau Desktop on Mac 10.3.19
  • Tableau Desktop on Mac 10.4.15
  • Tableau Desktop on Mac 10.5.14
  • Tableau Desktop on Mac 2018.1.11
  • Tableau Desktop on Mac 2018.2.8
  • Tableau Desktop on Mac 2018.3.5
  • Tableau Desktop on Mac 2019.1.2


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

A user connecting to a malicious Tableau Server instance with Tableau Prep Builder can trigger a vulnerability in the version of Electron used by Tableau Prep Builder. Electron is an open-source development framework.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Tableau Prep Builder (Back to top of page)

Severity: High
CVSS3 Score: AV:N AC:H PR:N UI:R S:U C:H I:H A:H - 7.5 High
Product specific notes:

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

The psqlODBC driver that is included with Tableau products contains a heap-based buffer overflow. We recommend that all Tableau users upgrade to psqlODBC 9.6.5.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Mitigation:

Windows: For Tableau products running on Windows the latest PostgreSQL ODBC driver should be installed.
Mac: For Tableau products running on Mac the latest PostgreSQL ODBC driver should be installed.
Linux: For Tableau products running on Linux follow these directions:


On CentOS and RHEL:

Download the .rpm file.
To install the driver, run the following command:
    sudo yum install tableau-postgresql-odbc-09.06.0500-1.x86_64.rpm

On Ubuntu:

Download the .deb file.
To install the driver, run the following command:
    sudo gdebi tableau-postgresql-odbc_09.06.0500-2_amd64.deb

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
        An authenticated user who has permissions to publish a workbook to Tableau Server can trigger this vulnerability.

 

Tableau Server on Linux does not include the PostgreSQL ODBC driver by default, and is therefore not listed below. However, the PostgreSQL driver is required for Admin View functionality and is often installed by the administrator as part of the deployment process. If the driver has been installed then Tableau Server on Linux is vulnerable.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.22

Support for Tableau Sever on Windows 10.0 ended on Feb, 19, 2019 (Supported Versions)

No new releases of 10.0 are planned. It is recommended to apply the above mitigation.

 

  • Tableau Server on Windows 10.1 through 10.1.22
  • Tableau Server on Windows 10.2 through 10.2.18
  • Tableau Server on Windows 10.3 through 10.3.18
  • Tableau Server on Windows 10.4 through 10.4.14
  • Tableau Server on Windows 10.5 through 10.5.13
  • Tableau Server on Windows 2018.1 through 2018.1.10
  • Tableau Server on Windows 2018.2 through 2018.2.7
  • Tableau Server on Windows 2018.3 through 2018.3.4
  • Tableau Server on Windows 2019.1 through 2019.1.1

 

Resolved versions:

 

  • Tableau Server on Windows 10.1.23
  • Tableau Server on Windows 10.2.19
  • Tableau Server on Windows 10.3.19
  • Tableau Server on Windows 10.4.15
  • Tableau Server on Windows 10.5.14
  • Tableau Server on Windows 2018.1.11
  • Tableau Server on Windows 2018.2.8
  • Tableau Server on Windows 2018.3.5
  • Tableau Server on Windows 2019.1.2

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:

Opening a malicious workbook can trigger this vulnerability.

 

Tableau Desktop on Windows includes the 32-bit version of the psqlODBC driver. It is recommended that this driver be uninstalled. To uninstall the 32-bit version of the driver use Add/Remove Programs and uninstall 'psqlODBC'.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4
  • Tableau Desktop on Windows 2019.1.2

 

  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4
  • Tableau Desktop on Mac 2019.1.2

 

Tableau Bridge (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
      Opening a malicious data source can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep Builder (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
      Opening a malicious flow can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

Highest overall severity: High

 

Summary:

A heap based buffer overflow vulnerability exists in Tableau products.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
       An authenticated user that is able to publish a workbook to Tableau Server can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.21
  • Tableau Server on Windows 10.1 through 10.1.21
  • Tableau Server on Windows 10.2 through 10.2.17
  • Tableau Server on Windows 10.3 through 10.3.17
  • Tableau Server on Windows 10.4 through 10.4.13
  • Tableau Server on Windows 10.5 through 10.5.12
  • Tableau Server on Windows 2018.1 through 2018.1.9
  • Tableau Server on Windows 2018.2 through 2018.2.6
  • Tableau Server on Windows 2018.3 through 2018.3.3
  • Tableau Server on Windows 2019.1 through 2019.1.1

  • Tableau Server on Linux 10.5 through 10.5.12
  • Tableau Server on Linux 2018.1 through 2018.1.9
  • Tableau Server on Linux 2018.2 through 2018.2.6
  • Tableau Server on Linux 2018.3 through 2018.3.3
  • Tableau Server on Linux 2019.1 through 2019.1.1

 

Resolved in versions:

  • Tableau Server on Windows 10.0.22
  • Tableau Server on Windows 10.1.22
  • Tableau Server on Windows 10.2.18
  • Tableau Server on Windows 10.3.18
  • Tableau Server on Windows 10.4.14
  • Tableau Server on Windows 10.5.13
  • Tableau Server on Windows 2018.1.10
  • Tableau Server on Windows 2018.2.7
  • Tableau Server on Windows 2018.3.4
  • Tableau Server on Windows 2019.1.2

  • Tableau Server on Linux 10.5.13
  • Tableau Server on Linux 2018.1.10
  • Tableau Server on Linux 2018.2.7
  • Tableau Server on Linux 2018.3.4
  • Tableau Server on Linux 2019.1.2

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
       Opening a malicious workbook can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

  • Tableau Desktop on Mac 10.0 through 10.0.21
  • Tableau Desktop on Mac 10.1 through 10.1.21
  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4
  • Tableau Desktop on Windows 2019.1.2

  • Tableau Desktop on Mac 10.0.22
  • Tableau Desktop on Mac 10.1.22
  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4
  • Tableau Desktop on Mac 2019.1.2

 

Tableau Bridge (Back to top of page)

Severity: High
CVSS3 Score: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.5 High

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
       Opening malicious flows may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep 2018.1.1 through 2019.1.2

 

Resolved versions:

  • Tableau Prep 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High

Product specific notes:
       Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Reader 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved versions:

  • Tableau Reader 2019.1.2

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: High
CVSS3 Score: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - 7.0 High
Product specific notes:
       Opening malicious workbooks may trigger this vulnerability

 

Vulnerable versions:

  • Tableau Public Desktop on Windows 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

  • Tableau Public Desktop on Mac 10.0 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved versions:

  • Tableau Public Desktop on Windows 2019.1.2

  • Tableau Public Desktop on Mac 2019.1.2

 

Acknowledgement:
This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.