ADV-2016-001 Security Advisory: Salesforce Canvas Adapter for Tableau Can Allow Unauthorized User Impersonation

Version 3

    Severity: Medium


    Description: When Salesforce Canvas Adapter for Tableau (also known as Tableau Sparkler) is used with Salesforce, under certain circumstances an authenticated user can impersonate another Tableau Server user.


    Affected products: All versions of Salesforce Canvas Adapter for Tableau through 1.01.

    Tableau Online is not affected (see next section).


    Conditions: A user might be able to impersonate another user if all of these conditions are true:

    • Tableau Sparkler is installed and correctly configured.

    • Tableau Sparkler is configured to use Trusted Authentication to communicate with Tableau Server.

    • A user is able to authenticate to Salesforce and make a request for a Tableau view.

    • The user knows the username of another Tableau Server user.

    The vulnerability does not occur if Tableau Sparkler and Salesforce are configured to use SAML to exchange identity information. (Because Tableau Online supports only SAML and not Trusted Authentication, Tableau Online is not affected by this issue.)


    Impact: A user who can access an affected workbook can assert a different user identity and request any view that the impersonated user has permissions for. If Tableau Server is configured to use unrestricted tickets, the user can take actions as that user, including administrators.


    Resolution: We also urge you to upgrade per the following guidance:

    To resolve this problem, install the updated version of Tableau Sparkler (v1.02). The Tableau Sparkler documentation that is included in the update installation package provides details about changes (including new configuration settings and deprecated ones), and about how to perform the upgrade.

    If your Sparkler configuration maps a Salesforce user name, user email, or user ID to a Tableau Server user, the update and a small configuration change will be sufficient to mitigate the problem. The update also supports custom mapping, in which you create code to perform the user identity mapping between Salesforce and Tableau. This is useful if you want to use an identity other than one of the predefined mappings (Salesforce user name, email, or user ID); if you want to federate multiple Salesforce users to a single Tableau user; or if the instance of Tableau Server has multiple sites. If you implement custom mapping, you must package the parameters on Salesforce using an Apex class that is provided in the Tableau Sparkler update package. The documentation for the v1.02 version of Tableau Sparkler provides information about how to implement custom mapping.

    We also recommend that if it is practical for your organization, you configure Salesforce and Sparkler to use SAML for identity instead of using Trusted Authentication.


    CVSS v2.0 Base Score: 6.5

    CVSS v2.0 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

    For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.