ADV-2016-005: Security Advisory: Information disclosure in Tableau Server

Version 2

    Severity: High


    Description: An unauthenticated remote attacker can send a specially crafted message that results in the disclosure of information from Tableau Server.


    Vulnerable Versions: Tableau Server 9.1 (through 9.1.10), 9.2 (through 9.2.8), 9.3 (through 9.3.2)


    Conditions: Exploitation of this vulnerability requires an unauthenticated malicious user who could send carefully crafted input to Tableau Server where the REST API is enabled.

    Impact: The scope of impact for this vulnerability varies based on the sophistication of the malicious user and the nature of the content that is stored on the server.

    Resolution: The following versions of Tableau Server fix this vulnerability:

    Tableau Server 9.1.11

    Tableau Server 9.2.9

    Tableau Server 9.3.3


    Workaround: As a temporary resolution for Tableau Server 9.3, disabling the REST API will resolve this issue. To resolve this issue on Tableau Server 9.3, run the following commands on each server in your organization:

    tabadmin stop

    tabadmin set api.server.enabled false

    tabadmin config

    tabadmin restart


    For more information about running tabadmin, see How to Use tabadmin.

    IMPORTANT: The tabadmin command tabadmin set api.server.enabled false does not disable REST API on versions 9.1 or 9.2. If you are running Tableau Server 9.1 or 9.2, then you must upgrade to the latest maintenance release (9.1.11 or 9.2.9) to neutralize this vulnerability.

    CVSS v3.0 Base Score: 8.6

    CVSS v3.0 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

    For more information about vectors, see Common Vulnerability Scoring System on the National Vulnerability Database site.