CVE-2025-52450: 
Tableau Server vulnerability analysis and mitigation

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered in Salesforce Tableau Server affecting both Windows and Linux platforms. The vulnerability (CVE-2025-52450) specifically impacts the tabdoc API's create-data-source-from-file-upload modules. This security flaw affects Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), with high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N) (AttackerKB).

The vulnerability allows attackers to perform Absolute Path Traversal, potentially leading to unauthorized access to files and directories on the affected system. The high confidentiality impact indicates that attackers could potentially access sensitive information stored on the server (Security Online).

Salesforce has released patches to address this vulnerability. Organizations are strongly advised to upgrade to the latest supported versions: Tableau Server 2025.1.4 or later, 2024.2.13 or later, or 2023.3.20 or later (Security Online).