2017 Security and Informational Bulletins

Version 3

    2017 Security Bulletins

    1. [Important] ADV-2017-001: Privilege escalation in Tableau Server
      1. Questions and Answers regarding ADV-2017-001: Privilege escalation in Tableau Server
    2. [Important] ADV-2017-002: Tableau Mobile allows insecure fallback in communication to Tableau server
    3. [Important] ADV-2017-003: Open Redirect in Tableau Server
    4. [Important] ADV-2017-004: Cross-Site Information Disclosure in Tableau Server
    5. [Important] ADV-2017-005: Trusted Ticket Session Can Be Used in REST API on Tableau Server
    6. [Important] ADV-2017-006: Workbook Metadata Disclosure in Tableau Server
    7. [Important] ADV-2017-007: Workbook XSS Vulnerability in Tableau Server
    8. [Important] ADV-2017-008: Unauthenticated SQL injection vulnerability in Tableau Server
    9. [Important] ADV-2017-009: Tableau Server logs some secrets in plain text
    10. [Important] ADV-2017-010: Potential disclosure of user metadata in "Admin Views" in Tableau Online
    11. [Important] ADV-2017-011: Tableau Server vulnerable to Denial-of-Service (DoS) attack using an unauthenticated API call
    12. [Important] ADV-2017-012: Tableau Server includes vulnerable libtiff library
    13. [Important] ADV-2017-013: Unauthenticated privilege escalation when Server SAML is configured on Tableau Server
      1. Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server
    14. [Important] ADV-2017-014: MySQL driver on Tableau Desktop on the Mac contains outdated OpenSSL library
    15. [Important] ADV-2017-015: Information disclosure in Tableau Server from authenticated API call
    16. [Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site
    17. [Important] ADV-2017-017: CVE-2016-10395 in FlexNet Publisher
    18. [Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server
    19. [Important] ADV-2017-019: Multiple CVEs fixed in Apache HTTPD 2.4.26
    20. [Important] ADV-2017-020: Tableau Server logs some database credentials in plain text
    21. [Important] ADV-2017-021: Site SAML on Tableau Server can allow a user to log into the wrong site
    22. [Important] ADV-2017-022: Site SAML logs are available to non-administrator users on Tableau Server/
    23. [Important] ADV-2017-023: Tableau Bridge client logs data source passwords


    2017 Informational Bulletins