Tableau Server email from Salesforce

You may receive an email from Salesforce similar to:

You are receiving this email because you are identified as a security point of contact or portal administrator for your company's Tableau portal account.

If this message refers to Tableau Server and not Tableau Client, feel free to ignore it.

The following is an example of the full message text:

[Salesforce logo]

Security Notification

You are receiving this email because you are identifed as a security point of contact or portal administrator for your company's Tableau portal account. Please [see linked article] for information on how to set a security point of contact if your portal account does not have one set already.

At Tableau, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data very seriously. We value transparency and wanted to notify you of an issue affecting a subset of Tableau customers.

What is the issue?

On January 31, 2024, Tableau identified a vulnerability in the "connectionAttrs.filename" parameter for the flow-editor load API, which retrieves files stored on tenants' host systems. We assigned the CVSSv3 score as 7.6.

This issue impacts the following versions of Tableau Server:

• 2022.1 - 2022.1.22
• 2022.3 - 2022.3.14
• 2023.1 - 2023.1.10
• 2023.3 - 2023.3.3

As a result of this issue, an authenticated user could access all text files on the host system by manipulating the filename parameter of the /flow-editor/api/nodes/load API.

NOTE: Access to valid Tableau Creator credentials is required to exploit this issue. Users with Explorer or Viewer permissions cannot access this endpoint.