CVE-2020-6939

Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.

Published: Nov 23, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-6939
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
tableau / tableau_server	2018.2	2018.2.27.x
tableau / tableau_server	2018.3	2018.3.24.x
tableau / tableau_server	2019.1	2019.1.22.x
tableau / tableau_server	2019.2	2019.2.18.x
tableau / tableau_server	2019.3	2019.3.14.x
tableau / tableau_server	2019.4	2019.4.13.x
tableau / tableau_server	2020.1	2020.1.10.x
tableau / tableau_server	2020.2	2020.2.7.x
tableau / tableau_server	2020.3	2020.3.2.x

https://help.salesforce.com/articleView?id=000355686&type=1&mode=1

Vulnerability Database

CVE-2020-6939

Deep Security Visibility Without the Complexity