Security Advisory: Users Can Be Impersonated

Version 3

    Severity: High

     

    Summary: A user can send a specially crafted request to Tableau Server that allows the user to impersonate a different user.

     

    Vulnerable Versions: Tableau Server 8.1 (through 8.1.20), 8.2 (through 8.2.12), 8.3 (through 8.3.7), 9.0 (through 9.0.3)

     

    Conditions: Our current investigations suggest that this vulnerability affects all configurations of Tableau Server.

     

    Impact: A user can modify a request to impersonate another user. This can result in an escalation of privilege on Tableau Server, meaning that the user might be allowed to see content or perform actions that the user is not normally allowed.

     

    Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

    Tableau Server 8.1.21

    Tableau Server 8.2.13

    Tableau Server 8.3.8

    Tableau Server 9.0.4

     

    CVSS v2.0 Base Score: 7.5

    CVSS v2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

    For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.