Cyber Security Alert: Tableau CVE Update
Friday 10th May 2024
Summary:
Tableau discovered a vulnerability affecting the email notification functionality of Tableau's Flow Editor feature.
The following versions of Tableau Server are vulnerable to this issue:
- 2023.3 - 2023.3.4
- 2023.1 - 2023.1.11
- 2022.3 - 2022.3.15
Severity:
| CVSSv3 score |
| 9.1 |
Analyst Assessment:
The vulnerability carries a high severity of 9.1. However, there is no evidence this is being exploited in the wild by threat actors. Tableau (and SalesForce) have released advice for those affected.
Impact:
As a result of this issue, an authenticated user could execute arbitrary commands on your instance of Tableau Server. NOTE: Access to valid Tableau Creator credentials is required to exploit this issue. Only roles with Creator permission and above can exploit this issue.
Issue Correction:
To address this issue, Tableau Server customers should immediately update to the latest maintenance release in their branches, which can be downloaded from the Tableau Server Maintenance Release page. You may wish to review your logs for evidence of unexpected or suspicious use of features built into the email in scheduled tasks for Flows.
How to Get More Information:
If you have any questions, please open a case with Support via the Help portal.
Sources:
Issues | Known Issues (salesforce.com)
Tableau Help | Tableau Software
Caveat:
This is based on current, limited knowledge, which should be further investigated and checked, before being applied to your systems.
Want to keep informed? Sign up to our Newsletter