KNOWLEDGE BASE

ADV-2023-001: TabPy Unauthenticated Access to Tableau Server

Published: 28 Jun 2023
Last Modified Date: 25 Sep 2023

Issue

TabPy (the Tableau Python Server) installations may be configured to execute arbitrary python code without authentication. This configuration may not be immediately evident to administrators with TabPy installed.

An unauthenticated attacker could perform remote code execution on TabPy instances that do not have authentication enabled. TabPy is designed to be run both with or without authentication, but those who run TabPy in the unauthenticated mode may not be aware of the potential risk and should thoroughly review the documentation at https://github.com/tableau/TabPy.

NOTE: This is not a vulnerability in Tableau. This is an unrecommended implementation of TabPy that carries potential risk.



 

Environment

  • TabPy 2.8.0 and earlier

Resolved in versions:

  • TabPy 2.9.0 (https://pypi.org/project/tabpy/2.9.0)

*Versions that are no longer supported are not tested and may not be in line with security best standards.

Resolution

TabPy 2.9.0 now requires acknowledgement of a warning message to continue running TabPy without authentication. This warning message includes a statement that running TabPy without authentication is an insecure configuration and not recommended.

Additional Information

Severity: Critical

CVSS3 Score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A: 10.0H

    Did this article resolve the issue?    
    PRINT THIS PAGE
    Trending Articles
    Attachments


    All Support

    SUPPORT BY PRODUCT
    TOOLS & DOWNLOADS
    INFORMATION
    ASSISTANCE