SQL injection in Tableau Server - #VU7308
Published: July 4, 2017
Vulnerability identifier: #VU7308
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Tableau
Affected software:
Tableau Server
Tableau Server
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can supply a specially crafted parameter value in order to execute arbitrary SQL statements in the repository (Postgres) database.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can supply a specially crafted parameter value in order to execute arbitrary SQL statements in the repository (Postgres) database.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable database.
Remediation
The vulnerability is addressed in the following versions:
9.2.18, 9.3.15, 10.0.10, 10.1.8, 10.2.2.
9.2.18, 9.3.15, 10.0.10, 10.1.8, 10.2.2.