• [Important] ADV-2019-047: Open redirect on embeddedAuthRedirect page

    Highest overall severity: Medium Summary: Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page.   The following CVEs have been addressed: CVE-2019-...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-038: Sensitive Values in Log Files From Prep Builder and Prep Conductor

    Highest overall severity: Medium   Summary: When using Tableau Prep Builder and Tableau Prep Conductor to connect to published datasources sensitive information is logged to the application log files.   I...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2020-015: Flows Running In Prep Conductor Can Use Wrong OAuth Credentials

    Highest overall severity: High Summary: In certain scenarios a flow running in Prep Conductor will use the wrong OAuth credentials when authenticating to a data source. Impact: A malicious flow can be constructe...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-014: View Specific Permissions Ignored By Dashboard Button

    Highest overall severity: Medium Summary: When a dashboard is configured with a button to go to another sheet, the target sheet permissions are ignored for the current user. This scenario may occur if the workbook ...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-013: Sensitive Information In Tableau Server Logs

    Highest overall severity: Medium Summary: Tableau Server logs the internal secret used to authenticate internal service requests when the logl.level is set to Debug. The log.level is set to Info by default and the ...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-012: Open Redirect on embeddedAuthRedirect Page

    Highest overall severity: Medium Summary: Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page. This is the same issue described in ADV-2019-047. The prev...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-011: Sensitive Values in Log Files From Prep Builder

    Highest overall severity: Medium Summary: When using Tableau Prep Builder to connect to published datasources, sensitive information is logged to the application log files. This is the same issue as described in AD...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-008: Various Memory Corruption Issues

    Highest overall severity: High Summary: Various memory corruption issues exist in Tableau products. Impact: An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash. Pro...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2020-006: Unauthenticated JMX RMI Remote Code Execution in Tableau Server

    Highest overall severity: High Summary: Under certain circumstances, Tableau Server removes authentication on a JMX server, which may allow Remote Code Execution. Impact: An attacker can execute arbitrary comman...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2020-010: Sensitive Values Logged When Using ODBC DSN

    Highest overall severity: Medium Summary: When using an ODBC Data Source Name, sensitive values configured in the DSN can appear in the debug logs. Impact: Access to the log files can expose sensitive values. ...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-009: Tableau Fixes for Multiple Security Vulnerabilies in QtWebEngine

    Highest overall severity: High Summary: Multiple fixes have been addressed for vulnerabilities in QtWebEngine. The following CVEs have been addressed: CVE-2019-13118 CVE-2019-13117 CVE-2019-13785 CVE-2019-181...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-007: HTML Injection in Emails

    Highest overall severity: Medium Summary: HTML chacaters are not properly encoded in emails sent to users who are tagged in comments. The previous fix (ADV-2019-041) addressing this vulnerability was  incomple...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-005: Tableau Server Sensitive Information in URL

    Highest overall severity: Medium Summary: When connecting to a datasource from an OAuth connection an error may occur that displays exception information in the return URL. In some cases, the exception information ...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-004: File Path Disclosure of Temporary Files

    Highest overall severity: Medium Summary: File paths of temporary files are included in the user-facing error messages after a publishing attempt fails. Impact: Users can learn some information about the Tableau...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-003: Tableau Server Forced Authentication

    Highest overall severity: High Summary: Tableau Server configured with an external Active Directory identity store can be forced to attempt to find users in a domain other than the one configured. An unauthenticate...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-002: Lack Of Input Validation on a JavaScript Command

    Highest overall severity: Medium Summary: An unspecified a JavaScript command lacks proper input validation that can result in files being written to an attacker-controlled location. Impact: Overwriting files ma...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2020-001: XSS Vulnerability in Tableau Server Data Management Add-on

    Highest overall severity: Medium Summary: Tableau Data Catalog metadata that includes specific embedded parameters and are published to Tableau Server may cause a XSS vulnerability in Tableau Server. Impact: Whe...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-017: Arbitrary error message on Tableau Server

    Highest overall severity: Medium Summary: Tableau Server generates an error page that contains a user-supplied string. Impact: A user that clicks on a link will be presented an error message that contains a stri...
    Joseph Salowey
    last modified by Joseph Salowey
  • [Important] ADV-2019-053: Tableau updates Java JRE for October 2019

    Highest overall severity: Medium Summary: Tableau Server uses the Java JRE. The October 2019 update to the Java JRE contained an unspecified Medium severity issue (CVE-2019-2958) that might present a risk to Tableau ...
    Joseph Salowey
    last modified by Joseph Salowey
  • [Important] ADV-2019-057: Cross-Site Request Forgery Protection Is Missing On Unspecified API

    Highest overall severity: Medium Summary: An unspecified API does not protect the user from cross-site request forgery. Impact: An attacker who is able to persuade a victim to visit a malicious website can change a ...
    Joseph Salowey
    created by Joseph Salowey