article High Severity Security fix for QlikView (CVE-2024-29863) in Official Support Articles https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-2024-29863/ta-p/2432661 <H3><FONT color="#339966"><STRONG>Executive Summary </STRONG></FONT></H3> <P>A security issue in QlikView has been identified and patches have been made available. In both cases, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of Administrator.</P> <P>The issue was identified and responsibly reported to Qlik by Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.</P> <P>Qlik has received no reports of these vulnerabilities being exploited maliciously.</P> <H3><FONT color="#339966"><STRONG>Affected Software</STRONG></FONT></H3> <P><SPAN data-contrast="auto">All versions of QlikView </SPAN><STRONG><SPAN data-contrast="auto">prior</SPAN></STRONG><SPAN data-contrast="auto"> to and including the following releases are impacted:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL class="lia-list-style-type-circle"> <LI data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">QlikView May 2023 SR1 (12.80.20100)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">QlikView May 2022 SR2 (12.70.20200)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <H3><STRONG><FONT color="#339966">Vulnerability Details</FONT></STRONG></H3> <P><SPAN class="TextRun SCXW240626617 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW240626617 BCX0"><FONT color="#339966"><STRONG><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">CVE-2024-29863</SPAN></STRONG></FONT> (QV-25113)&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW240626617 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335557856&quot;:16777215,&quot;335559739&quot;:225,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><FONT color="#339966"><STRONG><SPAN data-contrast="none">Severity:</SPAN></STRONG></FONT><SPAN data-contrast="none"> CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H </SPAN><STRONG><SPAN data-contrast="none">(7.8 High)</SPAN></STRONG><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335557856&quot;:16777215,&quot;335559739&quot;:225,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><SPAN data-contrast="none">A race condition exists in the QlikView installer executable that may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Recommendation</STRONG></FONT></H4> <P>Customers should upgrade QlikView to a version containing fixes for these issues. Fixes are available for the following versions:</P> <UL class="lia-list-style-type-circle"> <LI>QlikView May 2023 SR2 (12,80.20200)</LI> <LI>QlikView May 2022 SR3 (12.70.20300)</LI> </UL> <H3><STRONG><FONT color="#339966">Credits</FONT></STRONG></H3> <P>Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.</P> Thu, 21 Mar 2024 15:02:22 GMT Sonja_Bauernfeind 2024-03-21T15:02:22Z High Severity Security fix for QlikView (CVE-2024-29863) https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-2024-29863/ta-p/2432661 <H3><FONT color="#339966"><STRONG>Executive Summary </STRONG></FONT></H3> <P>A security issue in QlikView has been identified and patches have been made available. In both cases, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of Administrator.</P> <P>The issue was identified and responsibly reported to Qlik by Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.</P> <P>Qlik has received no reports of these vulnerabilities being exploited maliciously.</P> <H3><FONT color="#339966"><STRONG>Affected Software</STRONG></FONT></H3> <P><SPAN data-contrast="auto">All versions of QlikView </SPAN><STRONG><SPAN data-contrast="auto">prior</SPAN></STRONG><SPAN data-contrast="auto"> to and including the following releases are impacted:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL class="lia-list-style-type-circle"> <LI data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">QlikView May 2023 SR1 (12.80.20100)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">QlikView May 2022 SR2 (12.70.20200)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <H3><STRONG><FONT color="#339966">Vulnerability Details</FONT></STRONG></H3> <P><SPAN class="TextRun SCXW240626617 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW240626617 BCX0"><FONT color="#339966"><STRONG><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">CVE-2024-29863</SPAN></STRONG></FONT> (QV-25113)&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW240626617 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335557856&quot;:16777215,&quot;335559739&quot;:225,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><FONT color="#339966"><STRONG><SPAN data-contrast="none">Severity:</SPAN></STRONG></FONT><SPAN data-contrast="none"> CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H </SPAN><STRONG><SPAN data-contrast="none">(7.8 High)</SPAN></STRONG><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335557856&quot;:16777215,&quot;335559739&quot;:225,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><SPAN data-contrast="none">A race condition exists in the QlikView installer executable that may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Recommendation</STRONG></FONT></H4> <P>Customers should upgrade QlikView to a version containing fixes for these issues. Fixes are available for the following versions:</P> <UL class="lia-list-style-type-circle"> <LI>QlikView May 2023 SR2 (12,80.20200)</LI> <LI>QlikView May 2022 SR3 (12.70.20300)</LI> </UL> <H3><STRONG><FONT color="#339966">Credits</FONT></STRONG></H3> <P>Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.</P> Thu, 21 Mar 2024 15:02:22 GMT https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-2024-29863/ta-p/2432661 Sonja_Bauernfeind 2024-03-21T15:02:22Z Re: High Severity Security fix for QlikView (CVE-pending) https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-2024-29863/tac-p/2432777#M13548 <P><SPAN>For discussions and questions, comment directly on the&nbsp;</SPAN><A href="https://community.qlik.com/t5/Support-Updates/QlikView-New-Security-Patches-Available-Now/ba-p/2432671" target="_blank" rel="noopener">related blog post</A><SPAN>.&nbsp; We will be monitoring it. Thank you!</SPAN></P> Wed, 20 Mar 2024 11:58:37 GMT https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-2024-29863/tac-p/2432777#M13548 Sonja_Bauernfeind 2024-03-20T11:58:37Z