ADV-2015-002 Security Advisory: Server Configure Information Disclosure

Version 3

    Severity: High

     

    Description: An authorized user can send carefully crafted input that results in disclosure of server configuration information.

     

    Vulnerable Versions: Tableau Server 8.1 (through 8.1.23), 8.2 (through 8.2.16), 8.3 (through 8.3.11), 9.0 (through 9.0.8)

     

    Conditions: Exploitation of this vulnerability requires a malicious user who has publish permissions on Tableau Server. Such a user could send carefully crafted input to Tableau Server resulting in disclosure of server configuration information.

     

    Impact: The scope of impact for this vulnerability varies based on the sophistication of the malicious user and the nature of the content that is stored on the server.

    None of these consequences have been observed outside of test laboratory conditions with this vulnerability.

     

    Resolution: Upgrade Tableau Server per the following guidance:

    Tableau Server 8.1.24

    Tableau Server 8.2.17

    Tableau Server 8.3.12

    Tableau Server 9.0.9

     

    CVSS v2.0 Base Score: 6.5

    CVSS v2.0 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

    For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.