cbcvebase.
CVE-2019-15637
published 2019-08-26

CVE-2019-15637: Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects…

PriorityP276high8.1CVSS 3.1
AVNACLPRLUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.31%
96.2th percentile
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.

Affected

20 ranges
VendorProductVersion rangeFixed in
tableautableau_desktop10.2 – 10.2.23
tableautableau_desktop10.3 – 10.3.23
tableautableau_desktop10.4 – 10.4.19
tableautableau_desktop10.5 – 10.5.18
tableautableau_desktop2018.1 – 2018.1.15
tableautableau_desktop2018.2 – 2018.2.12
tableautableau_desktop2018.3 – 2018.3.9
tableautableau_desktop2019.1 – 2019.1.6
tableautableau_desktop2019.2 – 2019.2.2
tableautableau_public_desktop10.2 – 10.2.2
tableautableau_reader10.2 – 10.2.2
tableautableau_server10.2 – 10.2.23
tableautableau_server10.3 – 10.3.23
tableautableau_server10.4 – 10.4.19
tableautableau_server10.5 – 10.5.18
tableautableau_server2018.1 – 2018.1.15
tableautableau_server2018.2 – 2018.12
tableautableau_server2018.3 – 2018.3.9
tableautableau_server2019.1 – 2019.1.6
tableautableau_server2019.2 – 2019.2.2

Detection & IOCsextracted from sources · hover to see the quote

cookieworkgroup_session_id
otherContent-Disposition: form-data; name="extensionManifestContents"
  • Monitor multipart/form-data POST requests to Tableau Server endpoints that include an 'extensionManifestContents' field, as this is the injection point for the malicious XXE payload.
  • Alert on Tableau Server requests carrying the 'workgroup_session_id' cookie combined with multipart form submissions containing XML content in the extensionManifestContents field, which is the exploitation pattern for this XXE.
  • Malicious workbooks, data sources, and extension files published or used on Tableau Server can trigger this XXE vulnerability — inspect uploaded .twb, .tds, and extension manifest files for external entity declarations.
  • ·Exploitation requires an authenticated session (valid workgroup_session_id cookie) and knowledge of target-specific parameters (zoneId and dashboard name), limiting unauthenticated exploitation but not authenticated low-privilege users.
  • ·The exploit author notes the PoC is incomplete due to lack of source code access; a more complete exploit may exist at the referenced GitHub repository.
  • ·The vulnerability affects multiple Tableau products: Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop — detection and patching scope must cover all four.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.