• [Important] ADV-2019-039: Site Import Can Affect Permissions

    Highest overall severity: Medium   Summary: When importing a site into a Tableau Server 2019.2 instance that is running a version prior to 2019.2.3, the permissions templates applied to the content of the new s...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-031: Tableau Updates Java JRE for July 2019

    Highest overall severity: High   Summary: Tableau Server uses the Java JRE. The April 2019 update to the Java JRE contained an unspecified High severity issue (CVE-2019-2699) that might present a risk to Tablea...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-036: File Paths Disclosure of Temporary Files

    Highest overall severity: Medium   Summary: File paths of temporary files are included in the user-facing error messages after a publishing attempt fails.   Impact: Users can learn some information about...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-037: Open redirect on embeddedVizAuthentication page

    Highest overall severity: Medium   Summary: Tableau Server fails to properly validate the path that is presented on an embedded view authentication page.   Impact: A Tableau Server user that clicks on a ...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-034: HTML Injection In Emails From Subscriptions

    Highest overall severity: Medium   Summary: HTML chacaters are not properly encoded in the subscription emails that are sent from Tableau Server.   Impact: Users on Tableau Server can craft phishing emai...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-033: Stored XSS in Flow Thumbnails

    Highest overall severity: Medium   Summary: Some API calls do not perform proper encoding when returning thumbnails associated with a published flow.   Impact: When a Tableau Server user clicks a malicio...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-038: Sensitive Values in Log Files From Prep Builder and Prep Conductor

    Highest overall severity: Medium   Summary: When using Tableau Prep Builder and Tableau Prep Conductor to connect to published datasources sensitive information is logged to the application log files.   I...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-035: Workbook XSS Vulnerability in Tableau Server

    Highest overall severity: Medium   Summary: Tableau workbooks with specific embedded parameters that are published to Tableau Server may cause an XSS vulnerability in Tableau Server.   Impact: When users...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-032: Information Disclosure For Similar Workbooks On Same Site

    Highest overall severity: Medium   Summary: Workbooks on the same site that share a large number of similar features can be improperly cached.   Impact: Users on a site can see a cached view of a similar...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-027: Partial Information Disclosure When Changing Group Membership

    Highest overall severity: Medium Summary: Tableau Server fails to invalidate caches that are used by the ISMEMBEROF function. Impact: A user that has been removed from a group will still be able to see data in a w...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-030: XXE Vulnerability in Tableau Products

    Highest overall severity: High   Summary: An XXE vulnerability exists in Tableau products.   The following CVEs have been addressed: CVE-2019-15637   Impact: This vulnerability can result in infor...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-029: Sensitive Data In Tableau Service Manager Logs

    Highest overall severity: Medium   Summary: Tableau Server logs password for the private key and keystore at upgrade time when tsm.controlapp.log.level is set to DEBUG.   Impact: An attacker who has acce...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-028: Improper Path Validation When Publishing a Workbook

    Highest overall severity: High   Summary: When a user publishes a malicious workbook to Tableau Server, certain path values are not validated. As a result, the malicious workbook may cause files on Tableau Serv...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-026: Missing Validation on Request Parameters When Exporting a Visualization to PDF on Tableau Server

    Highest overall severity: Medium Summary: Tableau Server fails to validate and remove certain parameters when exporting a visualization to PDF. Impact: Users can modify export requests such that PDF files are sa...
    Tyler Reeves
    last modified by Tyler Reeves
  • [Important] ADV-2019-025: Open Redirect During Login

    Highest overall severity: Medium Summary: Tableau Server fails to properly validate the final destination URL during login. Impact: A Tableau Server user that clicks on a malicious link and completes a login wil...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-024: Information Disclosure With Saved Credentials

    Highest overall severity: Medium Summary: Workbooks that have been opened with saved credentialsmight be available to other users on the same site that have access to the workbook. Impact: A user on the same sit...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-021: Partial Information Disclosure With User Functions in Joins

    Highest overall severity: Medium Summary: Workbooks that use user functions inside a join calculation may not properly filter data the first time a view is loaded. Impact: A user with access to a published workb...
    Joseph Salowey
    last modified by Joseph Salowey
  • [Important] ADV-2019-020: Open Redirect in Server SAML

    Highest overall severity: Medium Summary: Tableau Server SAML implementation fails to properly validate the final destination URL. Impact: A Tableau Server user that clicks on a malicious link and completes a SA...
    Joseph Salowey
    last modified by Joseph Salowey
  • [Important] ADV-2019-023: Information Disclosure When Web Editing

    Highest overall severity: Medium Summary: Users accessing Tableau Server with Web Editing may not be prompted to authenticate to a connected data source when accesing a workbook with embedded credentials. Impact:...
    Tyler Reeves
    created by Tyler Reeves
  • [Important] ADV-2019-022: Complete SAML Response Logged

    Highest overall severity: Medium Summary: Tableau Server writes the complete SAML AuthnResponse to the log file when loglevel is set to debug. This happens for both site SAML and server-wide SAML scenarios. Impac...
    Tyler Reeves
    created by Tyler Reeves