Postgres vulnerability CVE-2024-4215 & CVE-2024-4... - Qlik Community

amarvilass

Hi All,

We are currently on May 2023 Patch10 version with Postgres12.

Understand from our security team that there are the below two vulnerabilities for Postgres

Cross-Site Scripting Vulnerability (CVE-2024-4216)

This vulnerability exists in pgAdmin, specifically inside the /settings/store API response json payload. Exploiting this vulnerability could allow a threat actor to execute malicious script on the client end and steal sensitive cookies.

Multi-Factor Authentication Bypass (CVE-2024-4215)

This vulnerability affects pgAdmin, which could allow a threat actor to bypass multi-factor authentication on affected versions.

Is anyone aware if it affect Qlik Sense enterprise on windows?

Thanks & Regards

Amar Shedage

David_Friend

@amarvilass what specific version of Postgres are you using and is it bundled/unbundled?

amarvilass

Hi @David_Friend

It is the bundled version postgres 12.5 that comes with default with the old version Feb 2022 version.

Thanks & Regards

Amar

Maria_Halley

@amarvilass

It looks like this vulnerability only affects PgAdmin. PgAdmin is not installed by Qlik. It is only used if you do changes in the database.

amarvilass

Thanks @Maria_Halley

The reason I was checking this is to resolve an issue with Qlik due to a custom properties being duplicated and injected multiple times after Qlik upgrade. This issue causes the jobs to fail even though the status reflect as successful. The job failure is causing the AD sync job to fail and not add new users. The solution to this lies in the below link

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-on-premise-reloads-fail-with-Warn...

The solution proposed from Qlik needs the PgAdmin to be used to remove the duplicate properties. Will you be able to suggest if this will cause any issue?

Thanks & Regards

Amar

Postgres vulnerability CVE-2024-4215 & CVE-2024-4216

Security