Principales Vulnerabilidades

Vulnerabilidad Descripción URL Fecha de publicación Solución Versiones comprometidas
Apache Log4j2 vulnerability (Log4shell) Recently disclosed vulnerabilities allow for remote code execution in products that use the Log4j Apache library https://kb.tableau.com/articles/issue/apache-log4j2-vulnerability-log4shell-tableau-server-mitigation-steps 19-12-2021 Upgrade de Tableau a cualquier versión superior a 15 de diciembre del 2021 Tableau Server 2021.4, 2021.3.4, 2021.2.5, 2021.1.8, 2020.4.11, 2020.3.14, 2020.2.19, 2020.1.22, 2019.4.25, 2019.3.26, 2019.2.29, 2019.1.29, 2018.3.29 o menores
Issue affecting Tableau Server Administration Agent El 15 de agosto de 2022, Tableau detectó un problema que afectaba el servicio de transferencia interna de archivos del Agente de administración de Tableau Server. Como resultado de este error de código, era posible que terceros no autorizados accedieran al servicio de transferencia interna de archivos y lanzaran un ataque de traspaso de rutas para ejecutar código de manera remota en hosts de Tableau Server. https://kb.tableau.com/articles/issue/issue-affecting-tableau-server-administration-agent?lang=es-es 29-08-2022 Upgrade de Tableau a cualquier versión superior a 30 de agosto de 2022 2022.1 - 2022.1.4 2021.4 - 2021.4.9 2021.3 - 2021.3.14 2021.2 - 2021.2.15 2021.1 - 2021.1.17 2020.4 - 2020.4.20
Tableau Server logging Personal Access Tokens into internal log repositories On June 15, 2022, during a security review of our products, we identified that during the process outlined above, a subset of customers inadvertently used their Personal Access Token (PAT) rather than the authentication token in a REST API call, which resulted in Tableau Server logging PATs in plain text into customers’ internal log repositories. We released a critical update on June 21, 2022, which resolved this issue. https://help.salesforce.com/s/articleView?id=000390611&type=1 20-09-2022 Upgrade de Tableau a cualquier versión superior a 21 de junio de 2022 Manores a 2022.1.3 2021.4.8 2021.3.13 2021.2.14 2021.1.16 2020.4.19
Site Administrator On November 1, 2022, Salesforce Security discovered that Tableau Server was not enforcing cross-site access control for Site Administrators using Tableau Server versions 2020.4 to 2022.3. https://help.salesforce.com/s/articleView?id=000390611&type=1 17-11-2022 Upgrade de tableau a versiones posteriores al 17 de noviembre 2022 Versiones anteriores al 17 de noviembre 2022
Web Data Connector 2.0 (WDC) On April 21, 2023, Salesforce Security discovered an issue impacting Tableau's Web Data Connector 2.0 (WDC). As a result of this issue, a malicious actor could potentially publish a workbook or data source with a WDC 2.0 connection to access network endpoints that are accessible from the machine hosting your instance of Tableau Server. https://help.salesforce.com/s/articleView?id=000390611&type=1 18-05-2023 Upgrade de tableau a versiones posteriores al 18 de mayo 2023 Versiones anteriores al 18 de mayo del 20239
Vulnerabilidad en Server-side request forgery (SSRF) en Tableau Server A security researcher reported a vulnerability related to server-side request forgery (SSRF) in Tableau Server which could allow a malicious actor to authenticate into your instance of Tableau Server to access your hosted data. Tableau assigned the CVSSv3 score as a 7.7. This vulnerability impacts all currently supported versions of Tableau Server released on or before June 29, 2023, which include 2021.3 - 2021.3.24, 2021.4 - 2021.4.19, 2022.1 - 2022.1.15, 2022.3 - 2022.3.7, and 2023.1 - 2023.1.3, respectively. https://kb.tableau.com/articles/Issue/tableau-security-notification-server-side-request-forgery 01-07-2023 Upgrade de Tableau a cualquier versión superior o igual a 1 de agosto de 2023 versiones anteriores al 1 de agosto del 2023
Local File Inclusion (LFI) vulnerability On May 11, 2023, a security researcher reported a Local File Inclusion (LFI) vulnerability affecting on-prem Tableau Servers that could enable an unauthorized actor to query local/network file paths to enumerate and/or exfiltrate sensitive information. Tableau assigned the CVSSv3 score as a 7.5. https://kb.tableau.com/articles/Issue/tableau-security-notification-server-side-request-forgery 25-10-2023 On October 25, 2023, Tableau addressed this issue in the 2023.1.7, 2022.3.11, 2022.1.19, and 2021.4.23 releases of Tableau Server. 2021.4 - 2021.4.22 2022.1 - 2022.1.18 2022.3 - 2022.3.10 2023.1 - 2023.1.6
No more posts to show