QID 372444

Tableau Server, by Tableau Software, is an online solution for sharing, distributing, and collaborating on content created in Tableau. Shareable. Create workbooks and views, dashboards, and data sources in Tableau Desktop, and then publish this content to the server.

Multiple fixes have been addressed for vulnerabilities in QtWebEngine.
CVE-2019-13117:In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118:In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

CVE-2019-13785:In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

CVE-2019-18197:In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Affected Versions:
Tableau Server Tableau Server on Linux 10.4 through 10.4.23 Tableau Server on Linux 10.5 through 10.5.22 Tableau Server on Linux 2018.1 through 2018.1.19 Tableau Server on Linux 2018.2 through 2018.2.16 Tableau Server on Linux 2018.3 through 2018.3.13 Tableau Server on Linux 2019.1 through 2019.1.11 Tableau Server on Linux 2019.2 through 2019.2.7 Tableau Server on Linux 2019.3 through 2019.3.3 Tableau Server on Linux 2019.4 through 2019.4.1 Tableau Server on Windows 10.4 through 10.4.23 Tableau Server on Windows 10.5 through 10.5.22 Tableau Server on Windows 2018.1 through 2018.1.19 Tableau Server on Windows 2018.2 through 2018.2.16 Tableau Server on Windows 2018.3 through 2018.3.13 Tableau Server on Windows 2019.1 through 2019.1.11 Tableau Server on Windows 2019.2 through 2019.2.7 Tableau Server on Windows 2019.3 through 2019.3.3 Tableau Server on Windows 2019.4 through 2019.4.1 Tableau Desktop: Tableau Desktop on Mac 10.4 through 10.4.23 Tableau Desktop on Mac 10.5 through 10.5.22 Tableau Desktop on Mac 2018.1 through 2018.1.19 Tableau Desktop on Mac 2018.2 through 2018.2.16 Tableau Desktop on Mac 2018.3 through 2018.3.13 Tableau Desktop on Mac 2019.1 through 2019.1.11 Tableau Desktop on Mac 2019.2 through 2019.2.7 Tableau Desktop on Mac 2019.3 through 2019.3.3 Tableau Desktop on Mac 2019.4 through 2019.4.1 Tableau Desktop on Windows 10.4 through 10.4.23 Tableau Desktop on Windows 10.5 through 10.5.22 Tableau Desktop on Windows 2018.1 through 2018.1.19 Tableau Desktop on Windows 2018.2 through 2018.2.16 Tableau Desktop on Windows 2018.3 through 2018.3.13 Tableau Desktop on Windows 2019.1 through 2019.1.11 Tableau Desktop on Windows 2019.2 through 2019.2.7 Tableau Desktop on Windows 2019.3 through 2019.3.3 Tableau Desktop on Windows 2019.4 through 2019.4.1 QID Detection Logic (Authenticated)
This QID checks for the file version of tableau.exe for Tableau Desktop and tabsvc.exe for Tableau Server

An unauthenticated remote attacker could exploit these vulnerabilities denial of service or read data in memory.