Security Advisory: Guest Users Can See Data As the Publisher User

Version 2

    Severity: Low

     

    Summary: Under certain conditions a user who accesses a workbook as a Guest user can view data as the publisher of the data.

     

    Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.2)

     

    Conditions: The issue affects Tableau Server when all of the following conditions are true:

    • A user has viewed a workbook that includes embedded credentials for the data source.
    • The user who published the workbook has permission to view the data.
    • The workbook includes user filters or calculations.
    • The Guest user is enabled.

     

    Impact: A user who accesses the workbook on Tableau Server as a Guest user can potentially see data that should not be visible to that user.

     

    Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

    Tableau Server 9.0.3

     

    Work around: In the meantime, disable Guest access.

     

     

    • CVSS v2.0 Base Score: 4.3
    • CVSS v2.0 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:NFor more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.

     

    More information