KNOWLEDGE BASE

Issue affecting Tableau Server Administration Agent


Published: 29 Aug 2022
Last Modified Date: 15 Nov 2022

Issue

On August 15, 2022, Tableau became aware of an issue affecting Tableau Server Administration Agent’s internal file transfer service. 

As a result of this code error, unauthorized third parties could have potentially accessed the internal file transfer service and carried out a path traversal attack to perform remote code execution on Tableau Server hosts. 

NOTE: In order to exploit this code error, a malicious actor would need to be able to access a customer’s system and write code targeting the impacted internal interface. Based on currently available information, Tableau does not have evidence of publicly available resources that would enable a path traversal attack.

Environment

The following supported versions of Tableau Server are impacted by this issue:

  • 2022.1 - 2022.1.4
  • 2021.4 - 2021.4.9
  • 2021.3 - 2021.3.14
  • 2021.2 - 2021.2.15
  • 2021.1 - 2021.1.17
  • 2020.4 - 2020.4.20

Resolution

On August 30, 2022, Tableau released a new version of Tableau Server Administration Agent that resolved the code error, eliminating the potential for unauthorized access to customers’ systems.

In alignment with security best practices, we strongly suggest that Tableau Server customers download and use the latest version of Tableau Server, which can be found here.

Additional Information

CVSS Score:
The Tableau Server versions that are affected have been scored against this vulnerability, generating a base score of 9. Please read the CVSS standards guide to fully understand how CVSS vulnerabilities are scored, and how to interpret CVSS scores.

Affected customers received a notification by email about this issue from Tableau on August 30, 2022.

Did this article resolve the issue?