QID 372444

Date Published: 2021-05-31

QID 372444: Tableau Server and Desktop Multiple Vulnerabilities (Important-ADV-2020-009)

Tableau Server, by Tableau Software, is an online solution for sharing, distributing, and collaborating on content created in Tableau. Shareable. Create workbooks and views, dashboards, and data sources in Tableau Desktop, and then publish this content to the server.

Multiple fixes have been addressed for vulnerabilities in QtWebEngine.
CVE-2019-13117:In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118:In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

CVE-2019-13785:In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

CVE-2019-18197:In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Affected Versions:
Tableau Server Tableau Server on Linux 10.4 through 10.4.23 Tableau Server on Linux 10.5 through 10.5.22 Tableau Server on Linux 2018.1 through 2018.1.19 Tableau Server on Linux 2018.2 through 2018.2.16 Tableau Server on Linux 2018.3 through 2018.3.13 Tableau Server on Linux 2019.1 through 2019.1.11 Tableau Server on Linux 2019.2 through 2019.2.7 Tableau Server on Linux 2019.3 through 2019.3.3 Tableau Server on Linux 2019.4 through 2019.4.1 Tableau Server on Windows 10.4 through 10.4.23 Tableau Server on Windows 10.5 through 10.5.22 Tableau Server on Windows 2018.1 through 2018.1.19 Tableau Server on Windows 2018.2 through 2018.2.16 Tableau Server on Windows 2018.3 through 2018.3.13 Tableau Server on Windows 2019.1 through 2019.1.11 Tableau Server on Windows 2019.2 through 2019.2.7 Tableau Server on Windows 2019.3 through 2019.3.3 Tableau Server on Windows 2019.4 through 2019.4.1 Tableau Desktop: Tableau Desktop on Mac 10.4 through 10.4.23 Tableau Desktop on Mac 10.5 through 10.5.22 Tableau Desktop on Mac 2018.1 through 2018.1.19 Tableau Desktop on Mac 2018.2 through 2018.2.16 Tableau Desktop on Mac 2018.3 through 2018.3.13 Tableau Desktop on Mac 2019.1 through 2019.1.11 Tableau Desktop on Mac 2019.2 through 2019.2.7 Tableau Desktop on Mac 2019.3 through 2019.3.3 Tableau Desktop on Mac 2019.4 through 2019.4.1 Tableau Desktop on Windows 10.4 through 10.4.23 Tableau Desktop on Windows 10.5 through 10.5.22 Tableau Desktop on Windows 2018.1 through 2018.1.19 Tableau Desktop on Windows 2018.2 through 2018.2.16 Tableau Desktop on Windows 2018.3 through 2018.3.13 Tableau Desktop on Windows 2019.1 through 2019.1.11 Tableau Desktop on Windows 2019.2 through 2019.2.7 Tableau Desktop on Windows 2019.3 through 2019.3.3 Tableau Desktop on Windows 2019.4 through 2019.4.1 QID Detection Logic (Authenticated)
This QID checks for the file version of tableau.exe for Tableau Desktop and tabsvc.exe for Tableau Server

An unauthenticated remote attacker could exploit these vulnerabilities denial of service or read data in memory.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5.1 severity.
    • Solution

    Customers are advised to refer to ADV-2020-009 for information pertaining to remediating this vulnerability.

    Vendor References

    CVEs related to QID 372444

    CVE-2019-13117 | CVE-2019-13118 | CVE-2019-13785 | CVE-2019-18197 |
    Software Advisories
    Advisory ID Software Component Link
    ADV-2020-009 Linux URL Logo community.tableau.com/community/security-bulletins/blog/2020/01/23/important-adv-2020-009-tableau-fixes-for-multiple-security-vulnerabilies-in-qtwebengine
    ADV-2020-009 Windows URL Logo community.tableau.com/community/security-bulletins/blog/2020/01/23/important-adv-2020-009-tableau-fixes-for-multiple-security-vulnerabilies-in-qtwebengine
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].
    © CVE.report 2026 |

    Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

    CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

    Free CVE JSON API cve.report/api

    CVE.report and Source URL Uptime Status status.cve.report