Summary: Under certain conditions, a workbook viewed on Tableau Server shows data from a published data source on another site.
Vulnerable Versions: Tableau Server 9.0 (through 9.0.2)
Conditions: The issue affects Tableau Server when all of the following conditions are true:
- A workbook with a data source has been published to the server.
- The server contains multiple sites.
The site has different user filters for the same data source.
Impact Under specific conditions, a user who accesses a workbook on Tableau Server can see data from another site. We expect this to be a very uncommon scenario.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 9.0.3
Workaround: Run the following sequence of tabadmin commands to disable data connection sharing:
tabadmin stop tabadmin set native_api.connection.limit.globallimit 1 tabadmin configure tabadmin start
Making this configuration change mitigates the issue. However, it can have some effect on data access performance. Therefore, after upgrading to Tableau Server 9.0.3 or later, you should reset the native_api.connection.limit.globallimit to its default value by running the following tabadmin commands:
tabadmin stop tabadmin set native_api.connection.limit.globallimit --default tabadmin configure tabadmin start
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.