Skip to main content
Announcements
Qlik Community Office Hours, March 20th. Former Talend Community users, ask your questions live. SIGN UP

Security Fixes in Qlik GeoAnalytics server

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Katie_Davis
Digital Support
Digital Support

Security Fixes in Qlik GeoAnalytics server

Last Update:

Jul 5, 2022 8:48:12 AM

Updated By:

Sonja_Bauernfeind

Created date:

Jun 23, 2022 1:05:29 PM

Executive Summary

A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.

These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.

Affected Software

All Qlik GeoAnalytics server versions prior to these releases are impacted:

  • May 2022 SR1
  • February 2022 SR1
  • November 2021 SR4
  • May 2021 SR3
  • February 2021 SR3
  • November 2020 SR3
  • September 2020 SR3
  • June 2020 SR3

Severity Rating

Three vulnerabilities are rated as high due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as medium as it allows client-side script injection. See below for the scoring breakdown.

Vulnerability Details

QB-10651 - Path traversal vulnerability in GeoAnalytics Server
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)

Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.

QB-10518 - Server Side Request Forgery (SSRF) in Maps
Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N (7.6 High)

Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.

QB-10519 - Javascript Injection. Maps (High).
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (7.5 High)

Due to improper validation of user-supplied input, a malicious user may be able inject client-side scripts that are run in the context of another user.

QB-10517 - Reflected Cross-site Scripting (XSS)
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N (5.8 Medium)

Due to improper validation of user-supplied input, an attacker may be able to craft a URL, which if another user visits, causes client-side scripts to be run in the context of that user.

 

Resolution / Recommendation

It is recommended to upgrade Qlik GeoAnalytics server to a version containing fixes. The first versions with the fixes are:

  • May 2022 SR1
  • February 2022 SR1
  • November 2021 SR4
  • May 2021 SR3
  • February 2021 SR3
  • November 2020 SR3
  • September 2020 SR3
  • June 2020 SR3

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

 

Labels (2)
Comments
AdamJohnson
Partner - Contributor III
Partner - Contributor III

Can you please elaborate on the vulnerable versions as the wording here a bit ambiguous, when you say “versions prior to these releases”

for November 2021 SR4, does that mean November 2021 SR1-3 are all vulnerable?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @AdamJohnson 

Versions prior to them will be affected, yes. So SR4 indicates prior SRs are affected (initial release to SR3, etc).

All the best,
Sonja 

Version history
Last update:
‎2022-07-05 08:48 AM
Updated by: