ADV-2015-003 Security Advisory: Saved Workbooks May Contain Data Source Credentials

Version 3

    Severity: Medium


    Description: Under certain conditions a user might inadvertently store the credentials (such as username and password) for a data source (such as a database login) in a workbook.


    Vulnerable Versions: Tableau Desktop 8.2 (through 8.2.13), 8.3 (through 8.3.8), 9.0 (through 9.0.4), Tableau Server 8.2 (through 8.2.13), 8.3 (through 8.3.8),  9.0 (through 9.0.4),Tableau Online


    Conditions: Sensitive information, such as database credentials, might be disclosed when all of the following conditions are true:

    1. A user works with a data source that requires credentials, such as a database.
    2. The user publishes the data source to Tableau Server or Tableau Online, but chooses not to embed the credentials for the data source.
    3. A user (the same user or another user) uses an affected version of Desktop or uses web authoring on an affected version of Tableau Server to create a workbook.
    4. The workbook uses the authenticated data source published in Step 2.
    5. The user is prompted to enter credentials when connecting to the authenticated data source.
    6. The user enters the credentials and creates a workbook using the authenticated data source.
    7. The user saves the workbook.

    User credentials are saved in the workbook.


    Impact: Any user who can access an affected workbook can potentially see credentials that the author entered to access the data source. If the user who inadvertently stored credentials in the workbook publishes the workbook to a server, anyone who downloads the workbook can access the credentials.


    Resolution: We also urge you to upgrade Tableau Desktop and Server per the following guidance:

    Tableau Desktop 8.2.14

    Tableau Desktop 8.3.9

    Tableau Desktop 9.0.5

    Tableau Server 8.2.14

    Tableau Server 8.3.9

    Tableau Server 9.0.5


    The following versions also remove credentials before workbooks are downloaded from the server.

    Tableau Server 8.2.15

    Tableau Server 8.3.10

    Tableau Server 9.0.6

    Tableau Server 9.1.0 and newer.


    Work Around: We strongly recommend that you reset passwords. You might need to reset passwords at the data source or for users. Where you should reset passwords depends on how your authentication model is configured.

    Reset passwords for data sources that are published to Tableau Server and that always prompt users for credentials.

    If your data sources are authenticated by Windows Active Directory, then in most cases, users are not prompted for credentials. Instead, Tableau silently passes through the client token to the data source for authorization. In this case, because the user is not prompted for credentials, then the vulnerability is not exposed.

    However, there are cases when users might be prompted for credentials in an Active Directory environment. If either of the following scenarios apply to your users, then reset the passwords for those user accounts:

    • Users access data sources in other untrusted Active Directory domains in your Active Directory forest.

      Some organizations store data sources in resource domains and users in other domains. If these domains are configured with a two-way trust, then users are not prompted for credentials. However, if these domains do not trust each other, then users are prompted for credentials when they attempt to access a data source in another domain. Reset the passwords for users in this scenario.

    • Users experience temporary outages or authentication errors.

      In some transient cases, users in Active Directory who attempt to access resources might be prompted for authentication. If the conditions noted previously are true, and users have been prompted for credentials, then reset the passwords for users who might have experienced transient authentication issues in Active Directory.




    CVSS v2.0 Base Score: 6.1

    CVSS v2.0 Vector: AV:N/AC:H/Au:S/C:C/I:P/A:P

    For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.