CVE-2019-15637

CVE Published	2019-08-26
Related CWE(s)	CWE-611: Improper Restriction of XML External Entity Reference
Related Vendor(s)	tableau
Related Product(s)	tableau_reader, tableau_public_desktop, tableau_desktop, tableau_server
CVSS 3 Base Score	7.1 (HIGH)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Threat Reports Related to CVE-2019-15637

Report

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...

View Source

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

References

CVE.org

View more information about CVE-2019-15637 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2019-15637 on the NIST NVD.