Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Now Live: Qlik Sense SaaS Simplified Authoring – Analytics Creation for Everyone: READ DETAILS

Security Fixes in Qlik GeoAnalytics server

cancel
Showing results for 
Search instead for 
Did you mean: 
Katie_Davis
Digital Support
Digital Support

Security Fixes in Qlik GeoAnalytics server

Executive Summary

A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.

These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.

Affected Software

All Qlik GeoAnalytics server versions prior to these releases are impacted:

  • May 2022 SR1
  • February 2022 SR1
  • November 2021 SR4
  • May 2021 SR3
  • February 2021 SR3
  • November 2020 SR3
  • September 2020 SR3
  • June 2020 SR3

Severity Rating

Three vulnerabilities are rated as high due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as medium as it allows client-side script injection. See below for the scoring breakdown.

Vulnerability Details

QB-10651 - Path traversal vulnerability in GeoAnalytics Server
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)

Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.

QB-10518 - Server Side Request Forgery (SSRF) in Maps
Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N (7.6 High)

Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.

QB-10519 - Javascript Injection. Maps (High).
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (7.5 High)

Due to improper validation of user-supplied input, a malicious user may be able inject client-side scripts that are run in the context of another user.

QB-10517 - Reflected Cross-site Scripting (XSS)
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N (5.8 Medium)

Due to improper validation of user-supplied input, an attacker may be able to craft a URL, which if another user visits, causes client-side scripts to be run in the context of that user.

 

Resolution / Recommendation

It is recommended to upgrade Qlik GeoAnalytics server to a version containing fixes. The first versions with the fixes are:

  • May 2022 SR1
  • February 2022 SR1
  • November 2021 SR4
  • May 2021 SR3
  • February 2021 SR3
  • November 2020 SR3
  • September 2020 SR3
  • June 2020 SR3

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

 

Labels (2)
Comments
AdamJohnson
Partner - Contributor II
Partner - Contributor II

Can you please elaborate on the vulnerable versions as the wording here a bit ambiguous, when you say “versions prior to these releases”

for November 2021 SR4, does that mean November 2021 SR1-3 are all vulnerable?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @AdamJohnson 

Versions prior to them will be affected, yes. So SR4 indicates prior SRs are affected (initial release to SR3, etc).

All the best,
Sonja 

Version history
Last update:
‎2022-07-05 08:48 AM
Updated by: