CVE-2020-6939 (GCVE-0-2020-6939)

Vulnerability from cvelistv5 – Published: 2020-11-23 16:16 – Updated: 2024-08-04 09:18
VLAI
Summary
Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.
Severity
No CVSS data available.
CWE
  • Incorrect Access Control
Assigner
References
Impacted products
Vendor Product Version
n/a Tableau Server Affected: versions affected on both Windows and Linux are: 2018.2 through 2018.2.27
Affected: 2018.3 through 2018.3.24
Affected: 2019.1 through 2019.1.22
Affected: 2019.2 through 2019.2.18
Affected: 2019.3 through 2019.3.14
Affected: 2019.4 through 2019.4.13
Affected: 2020.1 through 2020.1.10
Affected: 2020.2 through 2020.2.7
Affected: 2020.3 through 2020.3.2
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:18:01.581Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tableau Server",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions affected on both Windows and Linux are: 2018.2 through 2018.2.27"
            },
            {
              "status": "affected",
              "version": "2018.3 through 2018.3.24"
            },
            {
              "status": "affected",
              "version": "2019.1 through 2019.1.22"
            },
            {
              "status": "affected",
              "version": "2019.2 through 2019.2.18"
            },
            {
              "status": "affected",
              "version": "2019.3 through 2019.3.14"
            },
            {
              "status": "affected",
              "version": "2019.4 through 2019.4.13"
            },
            {
              "status": "affected",
              "version": "2020.1 through 2020.1.10"
            },
            {
              "status": "affected",
              "version": "2020.2 through 2020.2.7"
            },
            {
              "status": "affected",
              "version": "2020.3 through 2020.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Access Control",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-23T16:16:25.000Z",
        "orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364",
        "shortName": "Salesforce"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@salesforce.com",
          "ID": "CVE-2020-6939",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Tableau Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions affected on both Windows and Linux are: 2018.2 through 2018.2.27"
                          },
                          {
                            "version_value": "2018.3 through 2018.3.24"
                          },
                          {
                            "version_value": "2019.1 through 2019.1.22"
                          },
                          {
                            "version_value": "2019.2 through 2019.2.18"
                          },
                          {
                            "version_value": "2019.3 through 2019.3.14"
                          },
                          {
                            "version_value": "2019.4 through 2019.4.13"
                          },
                          {
                            "version_value": "2020.1 through 2020.1.10"
                          },
                          {
                            "version_value": "2020.2 through 2020.2.7"
                          },
                          {
                            "version_value": "2020.3 through 2020.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incorrect Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1",
              "refsource": "CONFIRM",
              "url": "https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364",
    "assignerShortName": "Salesforce",
    "cveId": "CVE-2020-6939",
    "datePublished": "2020-11-23T16:16:25.000Z",
    "dateReserved": "2020-01-13T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:18:01.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-6939",
      "date": "2026-05-29",
      "epss": "0.01355",
      "percentile": "0.80428"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2018.2\", \"versionEndIncluding\": \"2018.2.27\", \"matchCriteriaId\": \"18E26A40-022A-4887-85CE-E0BFF83F7299\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2018.3\", \"versionEndIncluding\": \"2018.3.24\", \"matchCriteriaId\": \"7B72068B-B413-4053-B1BC-0CD154D10D8D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2019.1\", \"versionEndIncluding\": \"2019.1.22\", \"matchCriteriaId\": \"52F0B5EB-D5F4-4423-8754-E9BCC3699305\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2019.2\", \"versionEndIncluding\": \"2019.2.18\", \"matchCriteriaId\": \"56EB08BB-13A4-49C9-8928-DFD0DFA8D4AE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2019.3\", \"versionEndIncluding\": \"2019.3.14\", \"matchCriteriaId\": \"4401C018-6851-4211-83B1-E5595A746116\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2019.4\", \"versionEndIncluding\": \"2019.4.13\", \"matchCriteriaId\": \"EFC0F0E8-FEB5-45AB-9D12-5592549E9408\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2020.1\", \"versionEndIncluding\": \"2020.1.10\", \"matchCriteriaId\": \"06E3D4C4-6466-420B-AF73-4C2964D3F0A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2020.2\", \"versionEndIncluding\": \"2020.2.7\", \"matchCriteriaId\": \"DCE3600B-1D06-4A80-919D-32E2DA3ABFC0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2020.3\", \"versionEndIncluding\": \"2020.3.2\", \"matchCriteriaId\": \"C60C48CC-A038-4AA3-95EE-045AB2F6D047\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.\"}, {\"lang\": \"es\", \"value\": \"Instalaciones de Tableau Server configuradas con Site-Specific SAML que permite a usuarios no autenticados utilizar las API.\u0026#xa0;Si se explota, esto podr\\u00eda permitir a un usuario malicioso establecer la configuraci\\u00f3n SAML espec\\u00edfica del sitio y podr\\u00eda conllevar a la toma de control de la cuenta para los usuarios de ese sitio. Tableau Server versiones afectadas tanto en Windows como en Linux son: 2018.2 hasta 2018.2.27, 2018.3 hasta 2018.3.24, 2019.1 hasta 2019.1.22, 2019.2 hasta 2019.2.18, 2019.3 hasta 2019.3.14, 2019.4 hasta 2019.4.13, 2020.1 hasta 2020.1.10, 2020.2 hasta 2020.2.7 y 2020.3 hasta 2020.3.2\"}]",
      "id": "CVE-2020-6939",
      "lastModified": "2024-11-21T05:36:22.330",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-11-23T17:15:12.720",
      "references": "[{\"url\": \"https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1\", \"source\": \"security@salesforce.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@salesforce.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-6939\",\"sourceIdentifier\":\"security@salesforce.com\",\"published\":\"2020-11-23T17:15:12.720\",\"lastModified\":\"2024-11-21T05:36:22.330\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.\"},{\"lang\":\"es\",\"value\":\"Instalaciones de Tableau Server configuradas con Site-Specific SAML que permite a usuarios no autenticados utilizar las API.\u0026#xa0;Si se explota, esto podr\u00eda permitir a un usuario malicioso establecer la configuraci\u00f3n SAML espec\u00edfica del sitio y podr\u00eda conllevar a la toma de control de la cuenta para los usuarios de ese sitio. Tableau Server versiones afectadas tanto en Windows como en Linux son: 2018.2 hasta 2018.2.27, 2018.3 hasta 2018.3.24, 2019.1 hasta 2019.1.22, 2019.2 hasta 2019.2.18, 2019.3 hasta 2019.3.14, 2019.4 hasta 2019.4.13, 2020.1 hasta 2020.1.10, 2020.2 hasta 2020.2.7 y 2020.3 hasta 2020.3.2\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.2\",\"versionEndIncluding\":\"2018.2.27\",\"matchCriteriaId\":\"18E26A40-022A-4887-85CE-E0BFF83F7299\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.3\",\"versionEndIncluding\":\"2018.3.24\",\"matchCriteriaId\":\"7B72068B-B413-4053-B1BC-0CD154D10D8D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.1\",\"versionEndIncluding\":\"2019.1.22\",\"matchCriteriaId\":\"52F0B5EB-D5F4-4423-8754-E9BCC3699305\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.2\",\"versionEndIncluding\":\"2019.2.18\",\"matchCriteriaId\":\"56EB08BB-13A4-49C9-8928-DFD0DFA8D4AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.3\",\"versionEndIncluding\":\"2019.3.14\",\"matchCriteriaId\":\"4401C018-6851-4211-83B1-E5595A746116\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.4\",\"versionEndIncluding\":\"2019.4.13\",\"matchCriteriaId\":\"EFC0F0E8-FEB5-45AB-9D12-5592549E9408\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2020.1\",\"versionEndIncluding\":\"2020.1.10\",\"matchCriteriaId\":\"06E3D4C4-6466-420B-AF73-4C2964D3F0A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2020.2\",\"versionEndIncluding\":\"2020.2.7\",\"matchCriteriaId\":\"DCE3600B-1D06-4A80-919D-32E2DA3ABFC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2020.3\",\"versionEndIncluding\":\"2020.3.2\",\"matchCriteriaId\":\"C60C48CC-A038-4AA3-95EE-045AB2F6D047\"}]}]}],\"references\":[{\"url\":\"https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1\",\"source\":\"security@salesforce.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://help.salesforce.com/articleView?id=000355686\u0026type=1\u0026mode=1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.