Skip navigation
1 2 3 Previous Next

Security Bulletins

110 posts

Highest overall severity: High

 

Summary:

An XXE vulnerability exists in Tableau products.

 

Impact:

This vulnerability can result in information disclosure or denial of service.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High
Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.24
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks, data sources, or extensions may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Desktop on Mac 10.2 through 10.2.23
  • Tableau Desktop on Mac 10.3 through 10.3.23
  • Tableau Desktop on Mac 10.4 through 10.4.19
  • Tableau Desktop on Mac 10.5 through 10.5.18
  • Tableau Desktop on Mac 2018.1 through 2018.1.15
  • Tableau Desktop on Mac 2018.2 through 2018.2.12
  • Tableau Desktop on Mac 2018.3 through 2018.3.9
  • Tableau Desktop on Mac 2019.1 through 2019.1.6
  • Tableau Desktop on Mac 2019.2 through 2019.2.2

  • Tableau Desktop on Windows 10.2 through 10.2.23
  • Tableau Desktop on Windows 10.3 through 10.3.23
  • Tableau Desktop on Windows 10.4 through 10.4.19
  • Tableau Desktop on Windows 10.5 through 10.5.18
  • Tableau Desktop on Windows 2018.1 through 2018.1.15
  • Tableau Desktop on Windows 2018.2 through 2018.2.12
  • Tableau Desktop on Windows 2018.3 through 2018.3.9
  • Tableau Desktop on Windows 2019.1 through 2019.1.6
  • Tableau Desktop on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Desktop on Mac 10.2.24
  • Tableau Desktop on Mac 10.3.24
  • Tableau Desktop on Mac 10.4.20
  • Tableau Desktop on Mac 10.5.19
  • Tableau Desktop on Mac 2018.1.16
  • Tableau Desktop on Mac 2018.2.13
  • Tableau Desktop on Mac 2018.3.10
  • Tableau Desktop on Mac 2019.1.7
  • Tableau Desktop on Mac 2019.2.3

  • Tableau Desktop on Windows 10.2.24
  • Tableau Desktop on Windows 10.3.24
  • Tableau Desktop on Windows 10.4.20
  • Tableau Desktop on Windows 10.5.19
  • Tableau Desktop on Windows 2018.1.16
  • Tableau Desktop on Windows 2018.2.13
  • Tableau Desktop on Windows 2018.3.10
  • Tableau Desktop on Windows 2019.1.7
  • Tableau Desktop on Windows 2019.2.3


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Reader on Mac 10.2 through 10.2.2

  • Tableau Reader on Windows 10.2 through 10.2.2

 

Resolved in versions:

  • Tableau Reader on Mac 2019.2.3

  • Tableau Reader on Windows 2019.2.3


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L - 6.1 Medium
Product Specific Notes: Opening malicious workbooks may trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Public Desktop on Mac 10.2 through 10.2.2

  • Tableau Public Desktop on Windows 10.2 through 10.2.2

 

Resolved in versions:

  • Tableau Public Desktop on Mac 2019.2.3

  • Tableau Public Desktop on Windows 2019.2.3

 

Acknowledgement: Jarad Kopf of Deltek

Highest overall severity: Medium

 

Summary:

Tableau Server logs password for the private key and keystore at upgrade time when tsm.controlapp.log.level is set to DEBUG.

 

Impact:

An attacker who has access to the log file can decrpyt key and keystore file to get private keys.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N - 4.3 Medium
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: High

 

Summary:

When a user publishes a malicious workbook to Tableau Server, certain path values are not validated. As a result, the malicious workbook may cause files on Tableau Server to be deleted.

 

Impact:

Tableau Server may stop operating if the Run As service account attempts to access a file that has been deleted.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H - 7.1 High
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium

Summary:

Tableau Server fails to invalidate caches that are used by the ISMEMBEROF function.

Impact:

A user that has been removed from a group will still be able to see data in a workbook or data source that filters the data based on ISMEMBEROF.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium
Product Specific Notes: This vulnerability may be mitigated by restarting Tableau Server after removing a member from a group.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.18
  • Tableau Server on Linux 2018.1 through 2018.1.15
  • Tableau Server on Linux 2018.2 through 2018.2.12
  • Tableau Server on Linux 2018.3 through 2018.3.9
  • Tableau Server on Linux 2019.1 through 2019.1.6
  • Tableau Server on Linux 2019.2 through 2019.2.2

  • Tableau Server on Windows 10.2 through 10.2.23
  • Tableau Server on Windows 10.3 through 10.3.23
  • Tableau Server on Windows 10.4 through 10.4.19
  • Tableau Server on Windows 10.5 through 10.5.18
  • Tableau Server on Windows 2018.1 through 2018.1.15
  • Tableau Server on Windows 2018.2 through 2018.2.12
  • Tableau Server on Windows 2018.3 through 2018.3.9
  • Tableau Server on Windows 2019.1 through 2019.1.6
  • Tableau Server on Windows 2019.2 through 2019.2.2

 

Resolved in versions:

  • Tableau Server on Linux 10.5.19
  • Tableau Server on Linux 2018.1.16
  • Tableau Server on Linux 2018.2.13
  • Tableau Server on Linux 2018.3.10
  • Tableau Server on Linux 2019.1.7
  • Tableau Server on Linux 2019.2.3

  • Tableau Server on Windows 10.2.24
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.20
  • Tableau Server on Windows 10.5.19
  • Tableau Server on Windows 2018.1.16
  • Tableau Server on Windows 2018.2.13
  • Tableau Server on Windows 2018.3.10
  • Tableau Server on Windows 2019.1.7
  • Tableau Server on Windows 2019.2.3


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to validate and remove certain parameters when exporting a visualization to PDF.


Impact:

Users can modify export requests such that PDF files are saved to arbitrary locations on Tableau Server. Tableau Sever does not monitor the exported for cleanup. Therefore, disk space could fill without administrator knowledge.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium

CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:N I:N A:H - 6.5


Vulnerable versions:

  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A

Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A

Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the final destination URL during login.


Impact:

A Tableau Server user that clicks on a malicious link and completes a login will be redirected to an attacker controlled location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.22
  • Tableau Server on Windows 10.3 through 10.3.22
  • Tableau Server on Windows 10.4 through 10.4.18
  • Tableau Server on Windows 10.5 through 10.5.17
  • Tableau Server on Windows 2018.1 through 2018.1.14
  • Tableau Server on Windows 2018.2 through 2018.2.11
  • Tableau Server on Windows 2018.3 through 2018.3.8
  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 10.5 through 10.5.17
  • Tableau Server on Linux 2018.1 through 2018.1.14
  • Tableau Server on Linux 2018.2 through 2018.2.11
  • Tableau Server on Linux 2018.3 through 2018.3.8
  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 10.2.23
  • Tableau Server on Windows 10.3.23
  • Tableau Server on Windows 10.4.19
  • Tableau Server on Windows 10.5.18
  • Tableau Server on Windows 2018.1.15
  • Tableau Server on Windows 2018.2.12
  • Tableau Server on Windows 2018.3.9
  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 10.5.18
  • Tableau Server on Linux 2018.1.15
  • Tableau Server on Linux 2018.2.12
  • Tableau Server on Linux 2018.3.9
  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that have been opened with saved credentialsmight be available to other users on the same site that have access to the workbook.


Impact:

A user on the same site might see data in a workbook without being required to authenticate to the datasource. This vulnerability cannot be triggered by a malicious user.


Mitigation:

The use of Saved Credentials can be disabled at the Server settings. https://onlinehelp.tableau.com/current/server/en-us/maintenance_set.htm


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.22
  • Tableau Server on Windows 10.3 through 10.3.22
  • Tableau Server on Windows 10.4 through 10.4.18
  • Tableau Server on Windows 10.5 through 10.5.17
  • Tableau Server on Windows 2018.1 through 2018.1.14
  • Tableau Server on Windows 2018.2 through 2018.2.11
  • Tableau Server on Windows 2018.3 through 2018.3.8
  • Tableau Server on Windows 2019.1 through 2019.1.5
  • Tableau Server on Windows 2019.2 through 2019.2.1

  • Tableau Server on Linux 10.5 through 10.5.17
  • Tableau Server on Linux 2018.1 through 2018.1.14
  • Tableau Server on Linux 2018.2 through 2018.2.11
  • Tableau Server on Linux 2018.3 through 2018.3.8
  • Tableau Server on Linux 2019.1 through 2019.1.5
  • Tableau Server on Linux 2019.2 through 2019.2.1


Resolved in versions:

  • Tableau Server on Windows 10.2.23
  • Tableau Server on Windows 10.3.23
  • Tableau Server on Windows 10.4.19
  • Tableau Server on Windows 10.5.18
  • Tableau Server on Windows 2018.1.15
  • Tableau Server on Windows 2018.2.12
  • Tableau Server on Windows 2018.3.9
  • Tableau Server on Windows 2019.1.6
  • Tableau Server on Windows 2019.2.2

  • Tableau Server on Linux 10.5.18
  • Tableau Server on Linux 2018.1.15
  • Tableau Server on Linux 2018.2.12
  • Tableau Server on Linux 2018.3.9
  • Tableau Server on Linux 2019.1.6
  • Tableau Server on Linux 2019.2.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Users accessing Tableau Server with Web Editing may not be prompted to authenticate to a connected data source when accesing a workbook with embedded credentials.


Impact:

A user who has Web Edit permissions on a workbook with embedded credentials will be able to see fields that are not in the views. The user will also be able to perform queries against the datasource without having to authenticate.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server writes the complete SAML AuthnResponse to the log file when loglevel is set to debug. This happens for both site SAML and server-wide SAML scenarios.


Impact:

An attacker who can access the log file can attempt to replay the AuthnResponse. In some cases, replaying the AuthnResponse may allow an attacker to authenticate as a different user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.21
  • Tableau Server on Windows 10.3 through 10.3.21
  • Tableau Server on Windows 10.4 through 10.4.17
  • Tableau Server on Windows 10.5 through 10.5.16
  • Tableau Server on Windows 2018.1 through 2018.1.13
  • Tableau Server on Windows 2018.2 through 2018.2.10
  • Tableau Server on Windows 2018.3 through 2018.3.7
  • Tableau Server on Windows 2019.1 through 2019.1.4
  • Tableau Server on Windows 2019.2 through 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.16
  • Tableau Server on Linux 2018.1 through 2018.1.13
  • Tableau Server on Linux 2018.2 through 2018.2.10
  • Tableau Server on Linux 2018.3 through 2018.3.7
  • Tableau Server on Linux 2019.1 through 2019.1.4
  • Tableau Server on Linux 2019.2 through 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.22
  • Tableau Server on Windows 10.3.22
  • Tableau Server on Windows 10.4.18
  • Tableau Server on Windows 10.5.17
  • Tableau Server on Windows 2018.1.14
  • Tableau Server on Windows 2018.2.11
  • Tableau Server on Windows 2018.3.8
  • Tableau Server on Windows 2019.1.5
  • Tableau Server on Windows 2019.2.1

  • Tableau Server on Linux 10.5.17
  • Tableau Server on Linux 2018.1.14
  • Tableau Server on Linux 2018.2.11
  • Tableau Server on Linux 2018.3.8
  • Tableau Server on Linux 2019.1.5
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that use user functions inside a join calculation may not properly filter data the first time a view is loaded.


Impact:

A user with access to a published workbook can see unfiltered data for another user in the same workbook. A malicious user cannot exploit this vulnerability.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:N A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3
  • Tableau Server on Windows 2019.2

 

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3
  • Tableau Server on Linux 2019.2


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4
  • Tableau Server on Windows 2019.2.1

 

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server SAML implementation fails to properly validate the final destination URL.


Impact:

A Tableau Server user that clicks on a malicious link and completes a SAML login will be redirected to an attacker controlled location. No SAML request or response is sent to the final location.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N AC:L PR:N UI:R S:U C:N I:L A:N - 4.3 Medium
Product specific notes:
       This only affects Tableau Server instances configured with Server-Wide SAML


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3
  • Tableau Server on Windows 2019.2.0

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3
  • Tableau Server on Linux 2019.2.0


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4
  • Tableau Server on Windows 2019.2.1

 

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4
  • Tableau Server on Linux 2019.2.1


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected. - Tableau Reader 10.0


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Workbooks that use user functions inside a context filter may not properly filter data the first time a view is loaded due to a caching issue.


Impact:

A user with access to a published workbook can see unfiltered data for another user resulting in information disclosure within that same workbook. A malicious user cannot directly force this to happen.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Server on Windows 10.2 through 10.2.20
  • Tableau Server on Windows 10.3 through 10.3.20
  • Tableau Server on Windows 10.4 through 10.4.16
  • Tableau Server on Windows 10.5 through 10.5.15
  • Tableau Server on Windows 2018.1 through 2018.1.12
  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Linux 10.5 through 10.5.15
  • Tableau Server on Linux 2018.1 through 2018.1.12
  • Tableau Server on Linux 2018.2 through 2018.2.9
  • Tableau Server on Linux 2018.3 through 2018.3.6
  • Tableau Server on Linux 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 10.2.21
  • Tableau Server on Windows 10.3.21
  • Tableau Server on Windows 10.4.17
  • Tableau Server on Windows 10.5.16
  • Tableau Server on Windows 2018.1.13
  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2018.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 10.5.16
  • Tableau Server on Linux 2018.1.13
  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2018.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected. - Tableau Bridge 10.0


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

A workbook published to Tableau Server with a datasource that has been set to "Publish Separately" and an authentication choice of "Prompt" will publish in an unexpected way. The separate datasource will be published with authentication set to "Prompt". However, the workbook will be published with a connection to the new datasource and the authentication is set to "Embedded Password".


Impact:

A Tableau Server user that has access to the workbook will be able to open the workbook and use the embedded credentials to connect to the datasource.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: Medium
CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:N A:N - 6.5 Medium


Vulnerable versions:

  • Tableau Desktop on Windows 10.2 through 10.2.20
  • Tableau Desktop on Windows 10.3 through 10.3.20
  • Tableau Desktop on Windows 10.4 through 10.4.16
  • Tableau Desktop on Windows 10.5 through 10.5.15
  • Tableau Desktop on Windows 2018.1 through 2018.1.12
  • Tableau Desktop on Windows 2018.2 through 2018.2.9
  • Tableau Desktop on Windows 2018.3 through 2018.3.6
  • Tableau Desktop on Windows 2019.1 through 2019.1.3

  • Tableau Desktop on Mac 10.2 through 10.2.20
  • Tableau Desktop on Mac 10.3 through 10.3.20
  • Tableau Desktop on Mac 10.4 through 10.4.16
  • Tableau Desktop on Mac 10.5 through 10.5.15
  • Tableau Desktop on Mac 2018.1 through 2018.1.12
  • Tableau Desktop on Mac 2018.2 through 2018.2.9
  • Tableau Desktop on Mac 2018.3 through 2018.3.6
  • Tableau Desktop on Mac 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Desktop on Windows 10.2.21
  • Tableau Desktop on Windows 10.3.21
  • Tableau Desktop on Windows 10.4.17
  • Tableau Desktop on Windows 10.5.16
  • Tableau Desktop on Windows 2018.1.13
  • Tableau Desktop on Windows 2018.2.10
  • Tableau Desktop on Windows 2018.3.7
  • Tableau Desktop on Windows 2019.1.4

  • Tableau Desktop on Mac 10.2.21
  • Tableau Desktop on Mac 10.3.21
  • Tableau Desktop on Mac 10.4.17
  • Tableau Desktop on Mac 10.5.16
  • Tableau Desktop on Mac 2018.1.13
  • Tableau Desktop on Mac 2018.2.10
  • Tableau Desktop on Mac 2018.3.7
  • Tableau Desktop on Mac 2019.1.4


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

Highest overall severity: Medium


Summary:

Tableau Server generates an error page that contains a user-supplied string.


Impact:

A user that clicks on a link will be presented an error message that contains a string entered by another user.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium

CVSS3 Score: AV:N AC:L PR:N UI:R S:C C:N I:L A:N - 4.7 Medium


Vulnerable versions:

  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3

  • Tableau Server on Windows 2018.2 through 2018.2.9
  • Tableau Server on Windows 2018.3 through 2018.3.6
  • Tableau Server on Windows 2019.1 through 2019.1.3


Resolved in versions:

  • Tableau Server on Windows 2018.2.10
  • Tableau Server on Windows 2019.3.7
  • Tableau Server on Windows 2019.1.4

  • Tableau Server on Linux 2018.2.10
  • Tableau Server on Linux 2019.3.7
  • Tableau Server on Linux 2019.1.4


Tableau Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Reader (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A

CVSS3 Score: N/A

Product specific notes:  Not affected.

Highest overall severity: Medium


Summary:

The debug logs that Tableau Mobile generates contain sensitive tokens such as the workgroupsessionid and access_token cookies.


Impact:

A person with access to these debug logs and access to the Tableau Server instance that they are associated with could use them to authenticate to the Tableau Server instance.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: Medium
CVSS3 Score: AV:L AC:L PR:H UI:R S:U C:H I:N A:N - 4.2 Medium

Vulnerable versions:

  • Tableau Mobile 19.225.1731 through 19.402.1795

Resolved in versions:

  • Tableau Mobile 19.430.1863


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.