CVE-2025-52451
📋 TL;DR
An improper input validation vulnerability in Salesforce Tableau Server allows attackers to perform absolute path traversal through the tabdoc API's create-data-source-from-file-upload modules. This enables unauthorized file system access on affected Tableau Server instances. Organizations running vulnerable versions of Tableau Server on Windows or Linux are affected.
💻 Affected Systems
- Salesforce Tableau Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read, modify, or delete sensitive system files, potentially leading to complete system compromise, data exfiltration, or service disruption.
Likely Case
Unauthorized access to sensitive configuration files, source data files, or credential storage, potentially enabling further attacks or data theft.
If Mitigated
Limited impact due to proper file system permissions, network segmentation, and access controls preventing exploitation.
🎯 Exploit Status
Exploitation requires access to the vulnerable API endpoint, which typically requires authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.3, 2024.2.12, or 2023.3.19
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005132575&type=1
Restart Required: Yes
Instructions:
1. Download the appropriate patched version from Salesforce Tableau downloads. 2. Follow Tableau Server upgrade procedures for your version. 3. Apply the patch and restart Tableau Server services.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to the tabdoc API endpoints using firewall rules or network segmentation.
File System Permissions Hardening
allApply strict file system permissions to limit Tableau Server's access to sensitive directories.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tableau Server from sensitive systems.
- Apply principle of least privilege to Tableau Server service accounts and file system permissions.
🔍 How to Verify
Check if Vulnerable:
Check Tableau Server version via Tableau Server Administrator UI or command line: tsm versionCheck Version:
tsm versionVerify Fix Applied:
Verify version is 2025.1.3, 2024.2.12, 2023.3.19 or later using tsm version command.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Tableau Server logs
- Multiple failed or unusual API calls to tabdoc endpoints
Network Indicators:
- Unusual traffic to tabdoc API endpoints from unexpected sources
SIEM Query:
source="tableau_server" AND (api="tabdoc" OR endpoint="create-data-source-from-file-upload") AND status="200" AND file_path CONTAINS ".."