Vulnerability Details CVE-2019-15637
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.108
EPSS Ranking 93.1%
CVSS Severity
CVSS v3 Score 7.1
CVSS v2 Score 5.5
References
- https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
- https://github.com/minecrater/exploits/blob/master/TableauXXE.py
- https://packetstormsecurity.com/files/154232/Tableau-XML-Injection.html
- https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
- https://github.com/minecrater/exploits/blob/master/TableauXXE.py
- https://packetstormsecurity.com/files/154232/Tableau-XML-Injection.html
Products affected by CVE-2019-15637
-
cpe:2.3:a:tableau:tableau_desktop:10.2
-
cpe:2.3:a:tableau:tableau_desktop:10.2.1
-
cpe:2.3:a:tableau:tableau_desktop:10.2.10
-
cpe:2.3:a:tableau:tableau_desktop:10.2.11
-
cpe:2.3:a:tableau:tableau_desktop:10.2.12
-
cpe:2.3:a:tableau:tableau_desktop:10.2.13
-
cpe:2.3:a:tableau:tableau_desktop:10.2.14
-
cpe:2.3:a:tableau:tableau_desktop:10.2.15
-
cpe:2.3:a:tableau:tableau_desktop:10.2.16
-
cpe:2.3:a:tableau:tableau_desktop:10.2.17
-
cpe:2.3:a:tableau:tableau_desktop:10.2.18
-
cpe:2.3:a:tableau:tableau_desktop:10.2.19
-
cpe:2.3:a:tableau:tableau_desktop:10.2.2
-
cpe:2.3:a:tableau:tableau_desktop:10.2.20
-
cpe:2.3:a:tableau:tableau_desktop:10.2.21
-
cpe:2.3:a:tableau:tableau_desktop:10.2.22
-
cpe:2.3:a:tableau:tableau_desktop:10.2.23
-
cpe:2.3:a:tableau:tableau_desktop:10.2.3
-
cpe:2.3:a:tableau:tableau_desktop:10.2.4
-
cpe:2.3:a:tableau:tableau_desktop:10.2.5
-
cpe:2.3:a:tableau:tableau_desktop:10.2.6
-
cpe:2.3:a:tableau:tableau_desktop:10.2.7
-
cpe:2.3:a:tableau:tableau_desktop:10.2.8
-
cpe:2.3:a:tableau:tableau_desktop:10.2.9
-
cpe:2.3:a:tableau:tableau_desktop:10.3
-
cpe:2.3:a:tableau:tableau_desktop:10.3.1
-
cpe:2.3:a:tableau:tableau_desktop:10.3.10
-
cpe:2.3:a:tableau:tableau_desktop:10.3.11
-
cpe:2.3:a:tableau:tableau_desktop:10.3.12
-
cpe:2.3:a:tableau:tableau_desktop:10.3.13
-
cpe:2.3:a:tableau:tableau_desktop:10.3.14
-
cpe:2.3:a:tableau:tableau_desktop:10.3.15
-
cpe:2.3:a:tableau:tableau_desktop:10.3.16
-
cpe:2.3:a:tableau:tableau_desktop:10.3.17
-
cpe:2.3:a:tableau:tableau_desktop:10.3.18
-
cpe:2.3:a:tableau:tableau_desktop:10.3.19
-
cpe:2.3:a:tableau:tableau_desktop:10.3.2
-
cpe:2.3:a:tableau:tableau_desktop:10.3.20
-
cpe:2.3:a:tableau:tableau_desktop:10.3.21
-
cpe:2.3:a:tableau:tableau_desktop:10.3.22
-
cpe:2.3:a:tableau:tableau_desktop:10.3.23
-
cpe:2.3:a:tableau:tableau_desktop:10.3.3
-
cpe:2.3:a:tableau:tableau_desktop:10.3.4
-
cpe:2.3:a:tableau:tableau_desktop:10.3.5
-
cpe:2.3:a:tableau:tableau_desktop:10.3.6
-
cpe:2.3:a:tableau:tableau_desktop:10.3.7
-
cpe:2.3:a:tableau:tableau_desktop:10.3.8
-
cpe:2.3:a:tableau:tableau_desktop:10.3.9
-
cpe:2.3:a:tableau:tableau_desktop:10.4
-
cpe:2.3:a:tableau:tableau_desktop:10.4.1
-
cpe:2.3:a:tableau:tableau_desktop:10.4.10
-
cpe:2.3:a:tableau:tableau_desktop:10.4.11
-
cpe:2.3:a:tableau:tableau_desktop:10.4.12
-
cpe:2.3:a:tableau:tableau_desktop:10.4.13
-
cpe:2.3:a:tableau:tableau_desktop:10.4.14
-
cpe:2.3:a:tableau:tableau_desktop:10.4.15
-
cpe:2.3:a:tableau:tableau_desktop:10.4.16
-
cpe:2.3:a:tableau:tableau_desktop:10.4.17
-
cpe:2.3:a:tableau:tableau_desktop:10.4.18
-
cpe:2.3:a:tableau:tableau_desktop:10.4.19
-
cpe:2.3:a:tableau:tableau_desktop:10.4.2
-
cpe:2.3:a:tableau:tableau_desktop:10.4.3
-
cpe:2.3:a:tableau:tableau_desktop:10.4.4
-
cpe:2.3:a:tableau:tableau_desktop:10.4.5
-
cpe:2.3:a:tableau:tableau_desktop:10.4.6
-
cpe:2.3:a:tableau:tableau_desktop:10.4.7
-
cpe:2.3:a:tableau:tableau_desktop:10.4.8
-
cpe:2.3:a:tableau:tableau_desktop:10.4.9
-
cpe:2.3:a:tableau:tableau_desktop:10.5
-
cpe:2.3:a:tableau:tableau_desktop:10.5.1
-
cpe:2.3:a:tableau:tableau_desktop:10.5.10
-
cpe:2.3:a:tableau:tableau_desktop:10.5.11
-
cpe:2.3:a:tableau:tableau_desktop:10.5.12
-
cpe:2.3:a:tableau:tableau_desktop:10.5.13
-
cpe:2.3:a:tableau:tableau_desktop:10.5.14
-
cpe:2.3:a:tableau:tableau_desktop:10.5.15
-
cpe:2.3:a:tableau:tableau_desktop:10.5.16
-
cpe:2.3:a:tableau:tableau_desktop:10.5.17
-
cpe:2.3:a:tableau:tableau_desktop:10.5.18
-
cpe:2.3:a:tableau:tableau_desktop:10.5.2
-
cpe:2.3:a:tableau:tableau_desktop:10.5.3
-
cpe:2.3:a:tableau:tableau_desktop:10.5.4
-
cpe:2.3:a:tableau:tableau_desktop:10.5.5
-
cpe:2.3:a:tableau:tableau_desktop:10.5.6
-
cpe:2.3:a:tableau:tableau_desktop:10.5.7
-
cpe:2.3:a:tableau:tableau_desktop:10.5.8
-
cpe:2.3:a:tableau:tableau_desktop:10.5.9
-
cpe:2.3:a:tableau:tableau_desktop:2018.1
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.1
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.10
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.11
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.12
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.13
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.14
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.15
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.2
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.3
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.4
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.5
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.6
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.7
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.8
-
cpe:2.3:a:tableau:tableau_desktop:2018.1.9
-
cpe:2.3:a:tableau:tableau_desktop:2018.2
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.1
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.10
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.11
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.12
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.2
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.3
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.4
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.5
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.6
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.7
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.8
-
cpe:2.3:a:tableau:tableau_desktop:2018.2.9
-
cpe:2.3:a:tableau:tableau_desktop:2018.3
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.1
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.2
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.3
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.4
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.5
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.6
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.7
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.8
-
cpe:2.3:a:tableau:tableau_desktop:2018.3.9
-
cpe:2.3:a:tableau:tableau_desktop:2019.1
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.1
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.2
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.3
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.4
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.5
-
cpe:2.3:a:tableau:tableau_desktop:2019.1.6
-
cpe:2.3:a:tableau:tableau_desktop:2019.2
-
cpe:2.3:a:tableau:tableau_desktop:2019.2.1
-
cpe:2.3:a:tableau:tableau_desktop:2019.2.2
-
cpe:2.3:a:tableau:tableau_public_desktop:10.2
-
cpe:2.3:a:tableau:tableau_public_desktop:10.2.2
-
cpe:2.3:a:tableau:tableau_reader:10.2
-
cpe:2.3:a:tableau:tableau_reader:10.2.2
-
cpe:2.3:a:tableau:tableau_server:10.2
-
cpe:2.3:a:tableau:tableau_server:10.2.1
-
cpe:2.3:a:tableau:tableau_server:10.2.10
-
cpe:2.3:a:tableau:tableau_server:10.2.11
-
cpe:2.3:a:tableau:tableau_server:10.2.12
-
cpe:2.3:a:tableau:tableau_server:10.2.13
-
cpe:2.3:a:tableau:tableau_server:10.2.14
-
cpe:2.3:a:tableau:tableau_server:10.2.15
-
cpe:2.3:a:tableau:tableau_server:10.2.16
-
cpe:2.3:a:tableau:tableau_server:10.2.17
-
cpe:2.3:a:tableau:tableau_server:10.2.18
-
cpe:2.3:a:tableau:tableau_server:10.2.19
-
cpe:2.3:a:tableau:tableau_server:10.2.2
-
cpe:2.3:a:tableau:tableau_server:10.2.20
-
cpe:2.3:a:tableau:tableau_server:10.2.21
-
cpe:2.3:a:tableau:tableau_server:10.2.22
-
cpe:2.3:a:tableau:tableau_server:10.2.23
-
cpe:2.3:a:tableau:tableau_server:10.2.3
-
cpe:2.3:a:tableau:tableau_server:10.2.4
-
cpe:2.3:a:tableau:tableau_server:10.2.5
-
cpe:2.3:a:tableau:tableau_server:10.2.6
-
cpe:2.3:a:tableau:tableau_server:10.2.7
-
cpe:2.3:a:tableau:tableau_server:10.2.8
-
cpe:2.3:a:tableau:tableau_server:10.2.9
-
cpe:2.3:a:tableau:tableau_server:10.3
-
cpe:2.3:a:tableau:tableau_server:10.3.1
-
cpe:2.3:a:tableau:tableau_server:10.3.10
-
cpe:2.3:a:tableau:tableau_server:10.3.11
-
cpe:2.3:a:tableau:tableau_server:10.3.12
-
cpe:2.3:a:tableau:tableau_server:10.3.13
-
cpe:2.3:a:tableau:tableau_server:10.3.14
-
cpe:2.3:a:tableau:tableau_server:10.3.15
-
cpe:2.3:a:tableau:tableau_server:10.3.16
-
cpe:2.3:a:tableau:tableau_server:10.3.17
-
cpe:2.3:a:tableau:tableau_server:10.3.18
-
cpe:2.3:a:tableau:tableau_server:10.3.19
-
cpe:2.3:a:tableau:tableau_server:10.3.2
-
cpe:2.3:a:tableau:tableau_server:10.3.20
-
cpe:2.3:a:tableau:tableau_server:10.3.21
-
cpe:2.3:a:tableau:tableau_server:10.3.22
-
cpe:2.3:a:tableau:tableau_server:10.3.23
-
cpe:2.3:a:tableau:tableau_server:10.3.3
-
cpe:2.3:a:tableau:tableau_server:10.3.4
-
cpe:2.3:a:tableau:tableau_server:10.3.5
-
cpe:2.3:a:tableau:tableau_server:10.3.6
-
cpe:2.3:a:tableau:tableau_server:10.3.7
-
cpe:2.3:a:tableau:tableau_server:10.3.8
-
cpe:2.3:a:tableau:tableau_server:10.3.9
-
cpe:2.3:a:tableau:tableau_server:10.4
-
cpe:2.3:a:tableau:tableau_server:10.4.1
-
cpe:2.3:a:tableau:tableau_server:10.4.10
-
cpe:2.3:a:tableau:tableau_server:10.4.11
-
cpe:2.3:a:tableau:tableau_server:10.4.12
-
cpe:2.3:a:tableau:tableau_server:10.4.13
-
cpe:2.3:a:tableau:tableau_server:10.4.14
-
cpe:2.3:a:tableau:tableau_server:10.4.15
-
cpe:2.3:a:tableau:tableau_server:10.4.16
-
cpe:2.3:a:tableau:tableau_server:10.4.17
-
cpe:2.3:a:tableau:tableau_server:10.4.18
-
cpe:2.3:a:tableau:tableau_server:10.4.19
-
cpe:2.3:a:tableau:tableau_server:10.4.2
-
cpe:2.3:a:tableau:tableau_server:10.4.3
-
cpe:2.3:a:tableau:tableau_server:10.4.4
-
cpe:2.3:a:tableau:tableau_server:10.4.5
-
cpe:2.3:a:tableau:tableau_server:10.4.6
-
cpe:2.3:a:tableau:tableau_server:10.4.7
-
cpe:2.3:a:tableau:tableau_server:10.4.8
-
cpe:2.3:a:tableau:tableau_server:10.4.9
-
cpe:2.3:a:tableau:tableau_server:10.5
-
cpe:2.3:a:tableau:tableau_server:10.5.1
-
cpe:2.3:a:tableau:tableau_server:10.5.10
-
cpe:2.3:a:tableau:tableau_server:10.5.11
-
cpe:2.3:a:tableau:tableau_server:10.5.12
-
cpe:2.3:a:tableau:tableau_server:10.5.13
-
cpe:2.3:a:tableau:tableau_server:10.5.14
-
cpe:2.3:a:tableau:tableau_server:10.5.15
-
cpe:2.3:a:tableau:tableau_server:10.5.16
-
cpe:2.3:a:tableau:tableau_server:10.5.17
-
cpe:2.3:a:tableau:tableau_server:10.5.18
-
cpe:2.3:a:tableau:tableau_server:10.5.2
-
cpe:2.3:a:tableau:tableau_server:10.5.3
-
cpe:2.3:a:tableau:tableau_server:10.5.4
-
cpe:2.3:a:tableau:tableau_server:10.5.5
-
cpe:2.3:a:tableau:tableau_server:10.5.6
-
cpe:2.3:a:tableau:tableau_server:10.5.7
-
cpe:2.3:a:tableau:tableau_server:10.5.8
-
cpe:2.3:a:tableau:tableau_server:10.5.9
-
cpe:2.3:a:tableau:tableau_server:2018.1
-
cpe:2.3:a:tableau:tableau_server:2018.1.1
-
cpe:2.3:a:tableau:tableau_server:2018.1.10
-
cpe:2.3:a:tableau:tableau_server:2018.1.11
-
cpe:2.3:a:tableau:tableau_server:2018.1.12
-
cpe:2.3:a:tableau:tableau_server:2018.1.13
-
cpe:2.3:a:tableau:tableau_server:2018.1.14
-
cpe:2.3:a:tableau:tableau_server:2018.1.15
-
cpe:2.3:a:tableau:tableau_server:2018.1.2
-
cpe:2.3:a:tableau:tableau_server:2018.1.3
-
cpe:2.3:a:tableau:tableau_server:2018.1.4
-
cpe:2.3:a:tableau:tableau_server:2018.1.5
-
cpe:2.3:a:tableau:tableau_server:2018.1.6
-
cpe:2.3:a:tableau:tableau_server:2018.1.7
-
cpe:2.3:a:tableau:tableau_server:2018.1.8
-
cpe:2.3:a:tableau:tableau_server:2018.1.9
-
cpe:2.3:a:tableau:tableau_server:2018.12
-
cpe:2.3:a:tableau:tableau_server:2018.2
-
cpe:2.3:a:tableau:tableau_server:2018.2.1
-
cpe:2.3:a:tableau:tableau_server:2018.2.10
-
cpe:2.3:a:tableau:tableau_server:2018.2.11
-
cpe:2.3:a:tableau:tableau_server:2018.2.12
-
cpe:2.3:a:tableau:tableau_server:2018.2.13
-
cpe:2.3:a:tableau:tableau_server:2018.2.14
-
cpe:2.3:a:tableau:tableau_server:2018.2.15
-
cpe:2.3:a:tableau:tableau_server:2018.2.16
-
cpe:2.3:a:tableau:tableau_server:2018.2.17
-
cpe:2.3:a:tableau:tableau_server:2018.2.18
-
cpe:2.3:a:tableau:tableau_server:2018.2.19
-
cpe:2.3:a:tableau:tableau_server:2018.2.2
-
cpe:2.3:a:tableau:tableau_server:2018.2.20
-
cpe:2.3:a:tableau:tableau_server:2018.2.21
-
cpe:2.3:a:tableau:tableau_server:2018.2.22
-
cpe:2.3:a:tableau:tableau_server:2018.2.23
-
cpe:2.3:a:tableau:tableau_server:2018.2.24
-
cpe:2.3:a:tableau:tableau_server:2018.2.25
-
cpe:2.3:a:tableau:tableau_server:2018.2.26
-
cpe:2.3:a:tableau:tableau_server:2018.2.27
-
cpe:2.3:a:tableau:tableau_server:2018.2.3
-
cpe:2.3:a:tableau:tableau_server:2018.2.4
-
cpe:2.3:a:tableau:tableau_server:2018.2.5
-
cpe:2.3:a:tableau:tableau_server:2018.2.6
-
cpe:2.3:a:tableau:tableau_server:2018.2.7
-
cpe:2.3:a:tableau:tableau_server:2018.2.8
-
cpe:2.3:a:tableau:tableau_server:2018.2.9
-
cpe:2.3:a:tableau:tableau_server:2018.3
-
cpe:2.3:a:tableau:tableau_server:2018.3.1
-
cpe:2.3:a:tableau:tableau_server:2018.3.10
-
cpe:2.3:a:tableau:tableau_server:2018.3.11
-
cpe:2.3:a:tableau:tableau_server:2018.3.12
-
cpe:2.3:a:tableau:tableau_server:2018.3.13
-
cpe:2.3:a:tableau:tableau_server:2018.3.14
-
cpe:2.3:a:tableau:tableau_server:2018.3.15
-
cpe:2.3:a:tableau:tableau_server:2018.3.16
-
cpe:2.3:a:tableau:tableau_server:2018.3.17
-
cpe:2.3:a:tableau:tableau_server:2018.3.18
-
cpe:2.3:a:tableau:tableau_server:2018.3.19
-
cpe:2.3:a:tableau:tableau_server:2018.3.2
-
cpe:2.3:a:tableau:tableau_server:2018.3.20
-
cpe:2.3:a:tableau:tableau_server:2018.3.21
-
cpe:2.3:a:tableau:tableau_server:2018.3.22
-
cpe:2.3:a:tableau:tableau_server:2018.3.23
-
cpe:2.3:a:tableau:tableau_server:2018.3.24
-
cpe:2.3:a:tableau:tableau_server:2018.3.3
-
cpe:2.3:a:tableau:tableau_server:2018.3.4
-
cpe:2.3:a:tableau:tableau_server:2018.3.5
-
cpe:2.3:a:tableau:tableau_server:2018.3.6
-
cpe:2.3:a:tableau:tableau_server:2018.3.7
-
cpe:2.3:a:tableau:tableau_server:2018.3.8
-
cpe:2.3:a:tableau:tableau_server:2018.3.9
-
cpe:2.3:a:tableau:tableau_server:2019.1
-
cpe:2.3:a:tableau:tableau_server:2019.1.1
-
cpe:2.3:a:tableau:tableau_server:2019.1.2
-
cpe:2.3:a:tableau:tableau_server:2019.1.3
-
cpe:2.3:a:tableau:tableau_server:2019.1.4
-
cpe:2.3:a:tableau:tableau_server:2019.1.5
-
cpe:2.3:a:tableau:tableau_server:2019.1.6
-
cpe:2.3:a:tableau:tableau_server:2019.2
-
cpe:2.3:a:tableau:tableau_server:2019.2.1
-
cpe:2.3:a:tableau:tableau_server:2019.2.2
-
cpe:2.3:o:apple:macos:-
-
cpe:2.3:o:linux:linux_kernel:-
-
cpe:2.3:o:microsoft:windows:-